Répertoire des articles en gouvernance publiés sur LinkedIn


L’un des moyens utilisés pour mieux faire connaître les grandes tendances en gouvernance de sociétés est la publication d’articles choisis sur ma page LinkedIn.

Ces articles sont issus des parutions sur mon blogue Gouvernance | Jacques Grisé

Depuis janvier 2016, j’ai publié un total de 43 articles sur ma page LinkedIn.

Aujourd’hui, je vous propose la liste des 10 articles que j’ai publiés à ce jour en 2019 :

 

Liste des 10 articles publiés à ce jour en 2019

 

Image associée

 

 

1, Les grandes firmes d’audit sont plus sélectives dans le choix de leurs mandats

2. Gouvernance fiduciaire et rôles des parties prenantes (stakeholders)

3. Problématiques de gouvernance communes lors d’interventions auprès de diverses organisations – Partie I Relations entre président du CA et DG

4. L’âge des administrateurs de sociétés représente-t-il un facteur déterminant dans leur efficacité comme membres indépendants de CA ?

5. On constate une évolution progressive dans la composition des conseils d’administration

6. Doit-on limiter le nombre d’années qu’un administrateur siège à un conseil afin de préserver son indépendance ?

7. Manuel de saine gouvernance au Canada

8. Étude sur le mix des compétences dans la composition des conseils d’administration

9. Indice de diversité de genre | Equilar

10. Le conseil d’administration est garant de la bonne conduite éthique de l’organisation !

 

Si vous souhaitez voir l’ensemble des parutions, je vous invite à vous rendre sur le Lien vers les 43 articles publiés sur LinkedIn depuis 2016

 

Bonne lecture !

De nombreux programmes de formation continue à l’intention des administrateurs de sociétés


Que l’on soit soumis à une politique de formation continue ou non, janvier est un bon moment pour planifier des formations d’appoint.

Ayant une bonne connaissance des formations offertes aux membres de conseils d’administration, je me permets de vous suggérer les formations offertes par le Collège des administrateurs de sociétés (CAS).

Les formations du Collège sont à la fine pointe en matière de perfectionnement des administrateurs.

En plus de leurs formations spécialisées (PME, TI, OBNL), le Collège offre des programmes de perfectionnement pour les administrateurs (ASC ou non) qui sont variés et pertinents.

De plus, je vois que les formations sont offertes en présentiel et même en ligne. Voilà un bon moyen de cumuler des heures de formation continue, sans même se déplacer !

Bonne lecture !

 

Entête programme de perfectionnement

 

 

FAIRE RAYONNER L’EXCELLENCE DES ADMINISTRATEURS DE SOCIÉTÉS CERTIFIÉS

Nouvelles perspectives pour la gouvernance en 2018


Aujourd’hui, je vous propose la lecture d’un excellent article de Martin Lipton* sur les nouvelles perspectives de la gouvernance en 2018. Cet article est publié sur le site du Harvard Law School Forum on Corporate Governance.

Après une brève introduction portant sur les meilleures pratiques observées dans les entreprises cotées, l’auteur se penche sur les paramètres les plus significatifs de la nouvelle gouvernance.

Les thèmes suivants sont abordés dans un contexte de renouvellement de la gouvernance pour le futur :

  1. La notion de l’actionnariat élargie pour tenir compte des parties prenantes ;
  2. L’importance de considérer le développement durable et la responsabilité sociale des entreprises ;
  3. L’adoption de stratégies favorisant l’engagement à long terme ;
  4. La nécessité de se préoccuper de la composition des membres du CA ;
  5. L’approche à adopter eu égard aux comportements d’actionnaires/investisseurs activistes ;
  6. Les attentes eu égard aux rôles et responsabilités des administrateurs.

À l’approche de la nouvelle année 2018, cette lecture devrait compter parmi les plus utiles pour les administrateurs et les dirigeants d’entreprises ainsi que pour toute personne intéressée par l’évolution des pratiques de gouvernance.

Bonne lecture ! Vos commentaires sont appréciés.

 

Some Thoughts for Boards of Directors in 2018

 

 

Introduction

 

As 2017 draws to a conclusion and we reflect on the evolution of corporate governance since the turn of the millennium, a recurring question percolating in boardrooms and among shareholders and other stakeholders, academics and politicians is: what’s next on the horizon for corporate governance? In many respects, we seem to have reached a point of relative stasis. The governance and takeover defense profiles of U.S. public companies have been transformed by the widespread adoption of virtually all of the “best practices” advocated to enhance the rights of shareholders and weaken takeover defenses.

While the future issues of corporate governance remain murky, there are some emerging themes that portend a potentially profound shift in the way that boards will need to think about their roles and priorities in guiding the corporate enterprise. While these themes are hardly new, they have been gaining momentum in prompting a rethinking of some of the most basic assumptions about corporations, corporate governance and the path forward.

First, while corporate governance continues to be focused on the relationship between boards and shareholders, there has been a shift toward a more expansive view that is prompting questions about the broader role and purpose of corporations. Most of the governance reforms of the past few decades targeted the ways in which boards are structured and held accountable to the interests of shareholders, with debates often boiling down to trade-offs between a board-centric versus a more shareholder-centric framework and what will best create shareholder value. Recently, efforts to invigorate a more long-term perspective among both corporations and their investors have been laying the groundwork for a shift from these process-oriented debates to elemental questions about the basic purpose of corporations and how their success should be measured and defined.

In particular, sustainability has become a major, mainstream governance topic that encompasses a wide range of issues such as climate change and other environmental risks, systemic financial stability, labor standards, and consumer and product safety. Relatedly, an expanded notion of stakeholder interests that includes employees, customers, communities, and the economy and society as a whole has been a developing theme in policymaking and academic spheres as well as with investors. As summarized in a 2017 report issued by State Street Global Advisor,

“Today’s investors are looking for ways to put their capital to work in a more sustainable way, one focused on long-term value creation that enables them to address their financial goals and responsible investing needs. So, for a growing number of institutional investors, the environmental, social and governance (ESG) characteristics of their portfolio are key to their investment strategy.”

While both sustainability and expanded constituency considerations have been emphasized most frequently in terms of their impact on long-term shareholder value, they have also been prompting fresh dialogue about the societal role and purpose of corporations.

Another common theme that underscores many of the corporate governance issues facing boards today is that corporate governance is inherently complex and nuanced, and less amenable to the benchmarking and quantification that was a significant driver in the widespread adoption of corporate governance “best practices.” Prevailing views about what constitutes effective governance have morphed from a relatively binary, check-the-box mentality—such as whether a board is declassified, whether shareholders can act by written consent and whether companies have adopted majority voting standards—to tackling questions such as how to craft a well-rounded board with the skills and experiences that are most relevant to a particular corporation, how to effectively oversee the company’s management of risk, and how to forge relationships with shareholders that meaningfully enhance the company’s credibility. Companies and investors alike have sought to formulate these “next generation” governance issues in a way that facilitates comparability, objective assessment and accountability. For example, many companies have been including skills matrices in their proxy statements to show, in a visual snapshot, that their board composition encompasses appropriate skills and experiences. Yet, to the extent that complicated governance issues cannot be reduced to simple, user-friendly metrics, it remains to be seen whether this will prompt new ways of defining “good” corporate governance that require a deeper understanding of companies and their businesses, and the impact that could have on the expectations and practices of stakeholders.

Against this backdrop, a few of the more significant issues that boards of directors will face in the coming year, as well as an overview of some key roles and responsibilities, are highlighted below. Parts II through VI contain brief summaries of some of the leading proposals and thinking for corporate governance of the future. In Part VII, we turn to the issues boards of directors will face in 2018 and suggestions as to how to prepare to deal with them.

 

Expanded Stakeholders

 

The primacy of shareholder value as the exclusive objective of corporations, as articulated by Milton Friedman and then thoroughly embraced by Wall Street, has come under scrutiny by regulators, academics, politicians and even investors. While the corporate governance initiatives of the past year cannot be categorized as an abandonment of the shareholder primacy agenda, there are signs that academic commentators, legislators and some investors are looking at more nuanced and tempered approaches to creating shareholder value.

In his 2013 book, Firm Commitment: Why the Corporation is Failing Us and How to Restore Trust in It, and a series of brilliant articles and lectures, Colin Mayer of the University of Oxford has convincingly rejected shareholder value primacy and put forth proposals to reconceive the business corporation so that it is committed to all its stakeholders, including the community and the general economy. His new book, Prosperity: Better Business Makes the Greater Good, to be published by Oxford University Press in 2018, continues the theme of his earlier publications and will be required reading.

Similarly, an influential working paper by Oliver Hart and Luigi Zingales argues that the appropriate objective of the corporation is shareholder welfare rather than shareholder wealth. Hart and Zingales advocate that corporations and asset managers should pursue policies consistent with the preferences of their investors, specifically because corporations may be able to accomplish objectives that shareholders acting individually cannot. In such a setting, the implicit separability assumption underlying Milton Friedman’s theory of the purpose of the firm fails to produce the best outcome for shareholders. Indeed, even though Hart and Zingales propose a revision that remains shareholder-centered, by recognizing the unique capability of corporations to engage in certain kinds of activities, their theory invites a careful consideration of other goals such as sustainability, board diversity and employee welfare, and even such social concerns, as, for example, reducing mass violence or promoting environmental stewardship. Such a model of corporate decision-making emphasizes the importance of boards establishing a relationship with significant shareholders to understand shareholder goals, beyond simply assuming that an elementary wealth maximization framework is the optimal path.

Perhaps closer to a wholesale rejection of the shareholder primacy agenda, an article by Joseph L. Bower and Lynn S. Paine, featured in the May-June 2017 issue of the Harvard Business Review, attacks the fallacies of the economic theories that have been used since 1970 to justify shareholder-centric corporate governance, short-termism and activist attacks on corporations. In questioning the benefits of hedge fund activism, Bower and Paine argue that some of the value purportedly created for shareholders by activists is not actually value created, but rather value transferred from other parties or from the public purse, such as shifting a company’s tax domicile to a lower-tax jurisdiction or eliminating exploratory research and development. The article supports the common sense notion that boards have a fiduciary duty not just to shareholders, but also to employees, customers and the community—a constituency theory of governance penned into law in a number of states’ business corporation laws.

Moreover, this theme has been metastasizing from a theoretical debate into specific reform initiatives that, if implemented, could have a direct impact on boards. For example, Delaware and 32 other states and the District of Columbia have passed legislation approving a new corporate form—the benefit corporation —a for-profit corporate entity with expanded fiduciary obligations of boards to consider other stakeholders in addition to shareholders. Benefit corporations are mandated by law to consider their overall positive impact on society, their workers, the communities in which they operate and the environment, in addition to the goal of maximizing shareholder profit.

This broader sense of corporate purpose has been gaining traction among shareholders. For example, the endorsement form for the Principles published by the Investor Stewardship Group in 2017 includes:

“[I]t is the fiduciary responsibility of all asset managers to conduct themselves in accordance with the preconditions for responsible engagement in a manner that accrues to the best interests of stakeholders and society in general, and that in so doing they’ll help to build a framework for promoting long-term value creation on behalf of U.S. companies and the broader U.S. economy.”

Notions of expanded stakeholder interests have often been incorporated into the concept of long-termism, and advocating a long-term approach has also entailed the promotion of a broader range of stakeholder interests without explicitly eroding the primacy of shareholder value. Recently, however, the interests of other stakeholders have increasingly been articulated in their own right rather than as an adjunct to the shareholder-centric model of corporate governance. Ideas about the broader social purpose of corporations have the potential to drive corporate governance reforms into uncharted territory requiring navigation of new questions about how to measure and compare corporate performance, how to hold companies accountable and how to incentivize managers.

 

Sustainability

 

The meaning of sustainability is no longer limited to describing environmental practices, but rather more broadly encompasses the sustainability of a corporation’s business model in today’s fast-changing world. The focus on sustainability encompasses the systemic sustainability of public markets and pressures boards to think about corporate strategy and how governance should be structured to respond to and compete in this environment.

Recently, the investing world has seen a rise of ESG-oriented funds—previously a small, niche segment of the investment community. Even beyond these specialized funds, ESG has also become a focus of a broad range of traditional investment funds and institutional investors. For instance, BlackRock and State Street both offer their investors products that specifically focus on ESG-oriented topics like climate change and impact investing—investing with an intention of generating a specific social or environmental outcome alongside financial returns.

At the beginning of 2017, State Street’s CEO Ronald P. O’Hanley wrote a letter advising the boards of the companies in which State Street invests that State Street defines sustainability “as encompassing a broad range of environmental, social and governance issues that include, for example, effective independent board leadership and board composition, diversity and talent development, safety issues, and climate change.” The letter was a reminder that broader issues that impact all of a company’s stakeholders may have a material effect on a company’s ability to generate returns. Chairman and CEO of BlackRock, Laurence D. Fink remarked similarly in his January 2017 letter that

“[e]nvironmental, social and governance factors relevant to a company’s business can provide essential insights into management effectiveness and thus a company’s long-term prospects. We look to see that a company is attuned to the key factors that contribute to long-term growth: sustainability of the business model and its operations, attention to external and environmental factors that could impact the company, and recognition of the company’s role as a member of the communities in which it operates.”

Similarly, the UN Principles for Responsible Investment remind corporations that ESG factors should be incorporated into all investment decisions to better manage risk and generate sustainable, long-term returns.

Shareholders’ engagement with ESG issues has also increased. Previously, ESG was somewhat of a fringe issue with ESG-related shareholder proxy proposals rarely receiving significant shareholder support. This is no longer the case. In the 2017 proxy season, the two most common shareholder proposal topics related to social (201 proposals) and environmental (144 proposals, including 69 on climate change) issues, as opposed to 2016’s top two topics of proxy access (201) and social issues (160). Similar to cybersecurity and other risk management issues, sustainability practices involve the nuts and bolts of operations—e.g., life-cycle assessments of a product and management of key performance indicators (KPIs) using management information systems that facilitate internal and public reporting—and provide another example of an operational issue that has become a board/governance issue.

The expansion of sustainability requires all boards—not just boards of companies with environmentally sensitive businesses—to be aware of and be ready to respond to ESG-related concerns. The salient question is whether “best” sustainability practices will involve simply the “right” messaging and disclosures, or whether investors and companies will converge on a method to measure sustainability practices that affords real impact on capital allocation, risk-taking and proactive—as opposed to reactive—strategy.

Indeed, measurement and accountability are perhaps the elephants in the room when it comes to sustainability. Many investors appear to factor sustainability into their investing decisions. Other ways to measure sustainability practices include the presence of a Chief Sustainability Officer or Corporate Responsibility Committee. However, while there are numerous disclosure frameworks relating to sustainability and ESG practices, there is no centralized ESG rating system. Further, rating methodologies and assessments of materiality vary widely across ESG data providers and disclosure requirements vary across jurisdictions.

Pending the development of clear and agreed standards to benchmark performance on ESG issues, boards of directors should focus on understanding how their significant investors value and measure ESG issues, including through continued outreach and engagement with investors focusing on these issues, and should seek tangible agreed-upon methodologies to address these areas, while also promoting the development of improved metrics and disclosure.

Promoting a Long-Term Perspective

 

As the past year’s corporate governance conversation has explored considerations outside the goal of maximizing shareholder value, the conversation within the shareholder value maximization framework has also continued to shift toward an emphasis on long-term value rather than short term. A February 2017 discussion paper from the McKinsey Global Institute in cooperation with Focusing Capital on the Long Term found that long-term focused companies, as measured by a number of factors including investment, earnings quality and margin growth, generally outperformed shorter-term focused companies in both financial and other performance measures. Long-term focused companies had greater, and less volatile, revenue growth, more spending on research and development, greater total returns to shareholders and more employment than other firms.

This empirical evidence that corporations focused on stakeholders and long-term investment contribute to greater economic growth and higher GDP is consistent with innovative corporate governance initiatives. A new startup, comprised of veterans of the NYSE and U.S. Treasury Department, is working on creating the “Long-Term Stock Exchange”—a proposal to build and operate an entirely new stock exchange where listed companies would have to satisfy not only all of the normal SEC requirements to allow shares to trade on other regulated U.S. stock markets but, in addition, other requirements such as tenured shareholder voting power (permitting shareholder voting to be proportionately weighted by the length of time the shares have been held), mandated ties between executive pay and long-term business performance and disclosure requirements informing companies who their long-term shareholders are and informing investors of what companies’ long-term investments are.

In addition to innovative alternatives, numerous institutional investors and corporate governance thought leaders are rethinking the mainstream relationship between all boards of directors and institutional investors to promote a healthier focus on long-term investment. While legislative reform has taken a stronger hold in the U.K. and Europe, leading American companies and institutional investors are pushing for a private sector solution to increase long-term economic growth. Commonsense Corporate Governance Principles and The New Paradigm: A Roadmap for an Implicit Corporate Governance Partnership Between Corporations and Investors to Achieve Sustainable Long-Term Investment and Growth were published in hopes of recalibrating the relationship between boards and institutional investors to protect the economy against the short-term myopic approach to management and investing that promises to impede long-term economic prosperity. Under a similar aim, the Investor Stewardship Group published its Stewardship Principles and Corporate Governance Principles, set to become effective in January 2018, to establish a framework with six principles for investor stewardship and six principles for corporate governance to promote long-term value creation in American business. A Synthesized Paradigm for Corporate Governance, Investor Stewardship, and Engagement provides a synthesis of these and others in the hope that companies and investors would agree on a common approach. In fact, over 100 companies to date have signed The Compact for Responsive and Responsible Leadership: A Roadmap for Sustainable Long-Term Growth and Opportunity, sponsored by the World Economic Forum, which includes the key features of The New Paradigm.

Similarly, the BlackRock Investment Stewardship team has proactively outlined five focus areas for its engagement efforts: Governance, Corporate Strategy for the Long-Term, Executive Compensation that Promotes Long-Termism, Disclosure of Climate Risks, and Human Capital Management. BlackRock’s outline reflects a number of key trends, including heightened transparency by institutional investors, more engagement by “passive” investors, and continued disintermediation of proxy advisory firms. In the United Kingdom, The Investor Forum was founded to provide an intermediary to represent the views of its investor members to investee companies in the hope of reducing activism, and appears to have achieved a successful start.

Similarly, in June 2017, the Coalition for Inclusive Capitalism and Ernst & Young jointly announced the launch of a project on long-term value creation. Noting among other elements that trust and social cohesion are necessary ingredients for the long-term success of capitalism, the project will emphasize reporting mechanisms and credible measurements supporting long-term value, developing and testing a framework to better reflect the full value companies create beyond simply financial value. There is widespread agreement that focusing on long-term investment will promote long-term economic growth. The next step is a consensus between companies and investors on a common path of action that will lead to restored trust and cohesion around long-term goals.

 

Board Composition

 

The corporate governance conversation has become increasingly focused on board composition, including board diversity. Recent academic studies have confirmed and expanded upon existing empirical evidence that hedge fund activism has been notably counterproductive in increasing gender diversity—yet another negative externality of this type of activism. Statistical evidence supports the hypothesis that the rate of shareholder activism is higher toward female CEOs holding all else equal, including industries, company sizes and levels of performance. A study forthcoming in the Journal of Applied Psychology investigated the reasons that hedge fund activists seemingly ignore the evidence for gender-diverse boards in their choices for director nominees and disproportionately target female CEOs. The authors suggest these reasons may include subconscious biases of hedge funds against women leaders due to perceptions and cultural attitudes.

In the United Kingdom, the focus on board diversity has spread into policy. The House of Commons Business, Energy, and Industrial Strategy Committee report on Corporate Governance, issued in 2017, included recommendations for improving ethnic, gender and social diversity of boards, noting that “[to] be an effective board, individual directors need different skills, experience, personal attributes and approaches.” The U.K. government’s response to this report issued in September 2017 notes its agreement on various diversity-related issues, stating that the “Government agrees with the Committee that it makes business sense to recruit directors from as broad a base as possible across the demographic of the UK” and further, tying into themes of stakeholder capitalism, that the “Government believes that greater diversity within the boardroom can help companies connect with their workforces, supply chains, customers and shareholders.”

In the United States, institutional investors are focused on a range of board composition issues, including term limits, board refreshment, diversity, skills matrices and board evaluation processes, as well as disclosures regarding these issues. In a recent letter, Vanguard explained that it considers the board to be “one of a company’s most critical strategic assets” and looks for a “high-functioning, well-composed, independent, diverse, and experienced board with effective ongoing evaluation practices,” stating that “Good governance starts with a great Board.” The New York Comptroller’s Boardroom Accountability Project 2.0 is focused on increasing diversity of boards in order to strengthen their independence and competency. In connection with launching this campaign, the NYC Pension Funds asked the boards of 151 U.S. companies to disclose the race and gender of their directors alongside board members’ skills in a standardized matrix format. And yet, similar to the difficulty of measuring and comparing sustainability efforts of companies, investors and companies alike continue to struggle with how to measure and judge a board’s diversity, and board composition generally, as the conversation becomes more nuanced. Board composition and diversity aimed at increasing board independence and competency is not a topic that lends itself to a “check-the-box” type measurement.

In light of the heightened emphasis on board composition, boards should consider increasing their communications with their major shareholders about their director selection and nomination processes to show the board understands the importance of its composition. Boards should consider disclosing how new director candidates are identified and evaluated, how committee chairs and the lead director are determined, and how the operations of the board as a whole and the performance of each director are assessed. Boards may also focus on increasing tutorials, facility visits, strategic retreats and other opportunities to increase the directors’ understanding of the company’s business—and communicate such efforts to key shareholders and constituents.

 

Activism

 

Despite the developments and initiatives striving to protect and promote long-term investment, the most dangerous threat to long-term economic prosperity has continued to surge in the past year. There has been a significant increase in activism activity in countries around the world and no slowdown in the United States. The headlines of 2017 were filled with activists who do not fit the description of good stewards of the long-term interests of the corporation. A must-read Bloombergarticle described Paul Singer, founder of Elliott Management Corp., which manages $34 billion of assets, as “aggressive, tenacious and litigious to a fault” and perhaps “the most feared activist investor in the world.” Numerous recent activist attacks underscore that the CEO remains a favored activist target. Several major funds have become more nuanced and taken a merchant banker approach of requesting board representation to assist a company to improve operations and strategy for long-term success. No company is too big for an activist attack. Substantial new capital has been raised by activist hedge funds and several activists have created special purpose funds for investment in a single target. As long as activism remains a serious threat, the economy will continue to experience the negative externalities of this approach to investing—companies attempting to avoid an activist attack are increasingly managed for the short term, cutting important spending on research and development and focusing on short-term profits by effecting share buybacks and paying dividends at the expense of investing in a strategy for long-term growth.

To minimize the impact of activist attacks, boards must focus on building relationships with major institutional investors. The measure of corporate governance success has shifted from checking the right boxes to building the right relationships. Major institutional investors have reiterated their commitment to bringing a long-term perspective to public companies, including, for example, Vanguard, which sent an open letter to directors of public companies world-wide explaining that a long-term perspective informed every aspect of its investment approach. Only by forging relationships of trust and credibility with long-term shareholders can a company expect to gain support for its long-term strategy when it needs it. In many instances, when an activist does approach, a previously established relationship provides a foundation for management and the board to persuade key shareholders that short-term activism is not in their best interest—an effort that is already showing some promise. General Motors’ resounding defeat of Greenlight Capital’s attempt to gain shareholder approval to convert its common stock into two classes shows a large successful company’s ability to garner the

support of its institutional investors against financial engineering. Trian’s recent proxy fight against Procter & Gamble shows the importance of proactively establishing relationships with long-term shareholders. Given Trian’s proven track record of success in urging changes in long-term strategy, Nelson Peltz was able to gain support for a seat on P&G’s board from proxy advisors and major institutional investors. We called attention to importantlessons from this proxy fight (discussed on the Forum here and here).

 

Spotlight on Boards

 

The ever-evolving challenges facing corporate boards prompts an updated snapshot of what is expected from the board of directors of a major public company—not just the legal rules, but also the aspirational “best practices” that have come to have equivalent influence on board and company behavior. In the coming year, boards will be expected to:

Oversee corporate strategy and the communication of that strategy to investors;

Set the tone at the top to create a corporate culture that gives priority to ethical standards, professionalism, integrity and compliance in setting and implementing strategic goals;

Choose the CEO, monitor the CEO’s and management’s performance and develop a succession plan;

Determine the agendas for board and committee meetings and work with management to assure appropriate information and sufficient time are available for full consideration of all matters;

Determine the appropriate level of executive compensation and incentive structures, with awareness of the potential impact of compensation structures on business priorities and risk-taking, as well as investor and proxy advisor views on compensation;

Develop a working partnership with the CEO and management and serve as a resource for management in charting the appropriate course for the corporation;

Oversee and understand the corporation’s risk management and compliance efforts, and how risk is taken into account in the corporation’s business decision-making; respond to red flags when and if they arise (see Risk Management and the Board of Directors, discussed on the Forum here);

Monitor and participate, as appropriate, in shareholder engagement efforts, evaluate potential corporate governance proposals and anticipate possible activist attacks in order to be able to address them more effectively;

Evaluate the board’s performance on a regular basis and consider the optimal board and committee composition and structure, including board refreshment, expertise and skill sets, independence and diversity, as well as the best way to communicate with investors regarding these issues;

Review corporate governance guidelines and committee charters and tailor them to promote effective board functioning;

Be prepared to deal with crises; and

Be prepared to take an active role in matters where the CEO may have a real or perceived conflict, including takeovers and attacks by activist hedge funds focused on the CEO.

To meet these expectations, major public companies should seek to:

Have a sufficient number of directors to staff the requisite standing and special committees and to meet expectations for diversity;

Have directors who have knowledge of, and experience with, the company’s businesses, even if this results in the board having more than one director who is not “independent”;

Have directors who are able to devote sufficient time to preparing for and attending board and committee meetings;

Meet investor expectations for director age, diversity and periodic refreshment;

Provide the directors with the data that is critical to making sound decisions on strategy, compensation and capital allocation;

Provide the directors with regular tutorials by internal and external experts as part of expanded director education; and

Maintain a truly collegial relationship among and between the company’s senior executives and the members of the board that enhances the board’s role both as strategic partner and as monitor.

______________________________________

*Martin Lipton is a founding partner of Wachtell, Lipton, Rosen & Katz, specializing in mergers and acquisitions and matters affecting corporate policy and strategy. This post is based on a Wachtell Lipton publication by Mr. Lipton, Steven A. Rosenblum, Karessa L. Cain, Sabastian V. Niles, Vishal Chanani, and Kathleen C. Iannone.

Guide des pratiques exemplaires en matière de gestion des risques | Les responsabilités des administrateurs


Les administrateurs de sociétés doivent apporter une attention spéciale à la gestion des risques telle qu’elle est mise en œuvre par les dirigeants des entreprises.

Les préoccupations des fiduciaires pour la gestion des risques, quoique fondamentales, sont relativement récentes, et les administrateurs ne savent souvent pas comment aborder cette question.

L’article présenté, ci-dessous, est le fruit d’une recherche de Martin Lipton, fondateur de la firme Wachtell, Lipton, Rosen & Katz, spécialisée dans les fusions et acquisitions ainsi que dans les affaires de gouvernance.

L’auteur et ses collaborateurs ont produit un guide des pratiques exemplaires en matière de gestion des risques. Cet article de fond s’adresse aux administrateurs et touche aux éléments-clés de la gestion des risques :

(1) la distinction entre la supervision des risques et la gestion des risques ;

(2) les leçons que l’on doit tirer de la supervision des risques à Wells Fargo ;

(3) l’importance accordée par les investisseurs institutionnels aux questions des risques ;

(4) « tone at the top » et culture organisationnelle ;

(5) les devoirs fiduciaires, les contraintes réglementaires et les meilleures pratiques ;

(6) quelques recommandations spécifiques pour améliorer la supervision des risques ;

(7) les programmes de conformité juridiques ;

(8) les considérations touchant les questions de cybersécurité ;

(9) quelques facettes se rapportant aux risques environnementaux, sociaux et de gouvernance ;

(10) l’anticipation des risques futurs.

 

Voici donc l’introduction de l’article. Je vous invite à prendre connaissance de l’article au complet.

Bonne lecture !

 

Risk Management and the Board of Directors

 

Résultats de recherche d'images pour « Gestion des risques et administrateurs de sociétés »

 

Overview

The past year has seen continued evolution in the political, legal and economic arenas as technological change accelerates. Innovation, new business models, dealmaking and rapidly evolving technologies are transforming competitive and industry landscapes and impacting companies’ strategic plans and prospects for sustainable, long-term value creation. Tax reform has created new opportunities and challenges for companies too. Meanwhile, the severe consequences that can flow from misconduct within an organization serve as a reminder that corporate operations are fraught with risk. Social and environmental issues, including heightened focus on income inequality and economic disparities, scrutiny of sexual misconduct issues and evolving views on climate change and natural disasters, have taken on a new salience in the public sphere, requiring companies to exercise utmost care to address legitimate issues and avoid public relations crises and liability.

Corporate risk taking and the monitoring of corporate risk remain prominently top of mind for boards of directors, investors, legislators and the media. Major institutional shareholders and proxy advisory firms increasingly evaluate risk oversight matters when considering withhold votes in uncontested director elections and routinely engage companies on risk-related topics. This focus on risk management has also led to increased scrutiny of compensation arrangements throughout the organization that have the potential for incentivizing excessive risk taking. Risk management is no longer simply a business and operational responsibility of management. It has also become a governance issue that is squarely within the oversight responsibility of the board. This post highlights a number of issues that have remained critical over the years and provides an update to reflect emerging and recent developments. Key topics addressed in this post include:

the distinction between risk oversight and risk management;

a lesson from Wells Fargo on risk oversight;

the strong institutional investor focus on risk matters;

tone at the top and corporate culture;

fiduciary duties, legal and regulatory frameworks and third-party guidance on best practices;

specific recommendations for improving risk oversight;

legal compliance programs;

special considerations regarding cybersecurity matters;

special considerations pertaining to environmental, social and governance (ESG) risks; and

anticipating future risks.

Enjeux clés concernant les membres des comités d’audit | En rappel


Le récent rapport de KPMG sur les grandes tendances en audit présente sept défis que les membres des CA, notamment les membres des comités d’audit, doivent considérer afin de bien s’acquitter de leurs responsabilités dans la gouvernance des sociétés.

Le rapport a été rédigé par des professionnels en audit de la firme KPMG ainsi que par le Conference Board du Canada.

Les sept défis abordés dans le rapport sont les suivants :

– talent et capital humain ;

– technologie et cybersécurité ;

– perturbation des modèles d’affaires ;

– paysage réglementaire en évolution ;

– incertitude politique et économique ;

– évolution des attentes en matière de présentation de l’information ;

– environnement et changements climatiques.

Je vous invite à consulter le rapport complet ci-dessous pour de plus amples informations sur chaque enjeu.

Bonne lecture !

 

Tendances en audit

 

 

Résultats de recherche d'images pour « tendances en audit »

 

 

Alors que l’innovation technologique et la cybersécurité continuent d’avoir un impact croissant sur le monde des finances et des affaires à l’échelle mondiale, tant les comités d’audit que les chefs des finances reconnaissent le besoin de compter sur des talents de haut calibre pour contribuer à affronter ces défis et à en tirer parti.

Le rôle du comité d’audit est de s’assurer que l’organisation dispose des bonnes personnes possédant l’expérience et les connaissances requises, tant au niveau de la gestion et des opérations qu’au sein même de sa constitution. Il ne s’agit que de l’un des nombreux défis à avoir fait surface dans le cadre de ce troisième numéro du rapport Tendances en audit.

Les comités d’audit d’aujourd’hui ont la responsabilité d’aider les organisations à s’orienter parmi les nombreux enjeux et défis plus complexes que jamais auxquels ils font face, tout en remplissant leur mandat traditionnel de conformité et de présentation de l’information. Alors que les comités d’audit sont pleinement conscients de cette nécessité, notre rapport indique que les comités d’audit et les chefs des finances se demandent dans quelle mesure leur organisation est bien positionnée pour faire face à la gamme complète des tendances actuelles et émergentes.

Pour mettre en lumière cette préoccupation et d’autres enjeux clés, le rapport Tendances en audit se penche sur les sept défis qui suivent :

  1. talent et capital humain;
  2. technologie et cybersécurité;
  3. perturbation des modèles d’affaires;
  4. paysage réglementaire en évolution;
  5. incertitude politique et économique;
  6. évolution des attentes en matière de présentation de l’information;
  7. environnement et changements climatiques.

Au fil de l’évolution des mandats et des responsabilités, ce rapport se révélera être une ressource précieuse pour l’ensemble des parties prenantes en audit.

Quelles sont les tendances en gouvernance qui se sont avérées au cours des 4 dernières années ?


Dans un premier temps, j’ai tenté de répondre à cette question en renvoyant le lecteur à deux publications que j’ai faites sur le sujet. C’est du genre check-list !

Puis, dans un deuxième temps, je vous invite à consulter les documents suivants qui me semblent très pertinents pour répondre à la question. Il s’agit en quelque sorte d’une revue de la littérature sur le sujet.

  1. La gouvernance relative aux sociétés en 2017 | Un « Survey » des entreprises du SV 150 et de la S&P 100
  2. Principales tendances en gouvernance à l’échelle internationale en 2017
  3. Séparation des fonctions de PDG et de président du conseil d’administration | Signe de saine gouvernance !
  4. Six mesures pour améliorer la gouvernance des organismes publics au Québec | Yvan Allaire
  5. Cadre de référence pour évaluer la gouvernance des sociétés | Questionnaire de 100 items
  6. La gouvernance française suit-elle la tendance mondiale ?
  7. Enquête mondiale sur les conseils d’administration et la gouvernance

 

J’espère que ces commentaires vous seront utiles, même si mon intervention est colorée par la situation canadienne et américaine !

Bonne lecture !

 

Résultats de recherche d'images pour « tendances en gouvernance »

 

Gouvernance : 12 tendances à surveiller

 

J’ai réalisé une entrevue avec le Journal des Affaires le 17 mars 2014. Une rédactrice au sein de l’Hebdo des AG, un média numérique qui se consacre au traitement des sujets touchant à la gouvernance des entreprises françaises, m’a contacté afin de connaître mon opinion sur quelles « prédictions » se sont effectivement avérées, et lesquelles restent encore à améliorer.

J’ai préparé quelques réflexions en référence aux douze tendances que j’avais identifiées le 17 mars 2014. J’ai donc revisité les tendances afin de vérifier comment la situation avait évolué en quatre ans. J’ai indiqué en rouge mon point de vue eu égard à ces tendances.

 « Si la gouvernance des entreprises a fait beaucoup de chemin depuis quelques années, son évolution se poursuit. Afin d’imaginer la direction qu’elle prendra au cours des prochaines années, nous avons consulté l’expert en gouvernance Jacques Grisé, ex- directeur des programmes du Collège des administrateurs de sociétés, de l’Université Laval. Toujours affilié au Collège, M. Grisé publie depuis plusieurs années le blogue www.jacquesgrisegouvernance.com, un site incontournable pour rester à l’affût des bonnes pratiques et tendances en gouvernance. Voici les 12 tendances dont il faut suivre l’évolution, selon Jacques Grisé »

 

  1. Les conseils d’administration réaffirmeront leur autorité. « Auparavant, la gouvernance était une affaire qui concernait davantage le management », explique M. Grisé. La professionnalisation de la fonction d’administrateur amène une modification et un élargissement du rôle et des responsabilités des conseils. Les CA sont de plus en plus sollicités et questionnés au sujet de leurs décisions et de l’entreprise. Cette affirmation est de plus en plus vraie. La formation certifiée en gouvernance est de plus en plus prisée. Les CA, et notamment les présidents de CA, sont de plus en plus sollicités pour expliquer leurs décisions, leurs erreurs et les problèmes de gestion de crise.
  2. La formation des administrateurs prendra de l’importance. À l’avenir, on exigera toujours plus des administrateurs. C’est pourquoi la formation est essentielle et devient même une exigence pour certains organismes. De plus, la formation continue se généralise ; elle devient plus formelle. Il va de soi que la formation en gouvernance prendra plus d’importance, mais les compétences et les expériences reliées au secteur d’activité de l’entreprise seront toujours très recherchées.
  3. L’affirmation du droit des actionnaires et celle du rôle du conseil s’imposeront. Le débat autour du droit des actionnaires par rapport à celui des conseils d’administration devra mener à une compréhension de ces droits conflictuels. Aujourd’hui, les conseils doivent tenir compte des parties prenantes en tout temps. Il existe toujours une situation potentiellement conflictuelle entre les intérêts des actionnaires et la responsabilité des administrateurs envers toutes les parties prenantes.
  4. La montée des investisseurs activistes se poursuivra. L’arrivée de l’activisme apporte une nouvelle dimension au travail des administrateurs. Les investisseurs activistes s’adressent directement aux actionnaires, ce qui mine l’autorité des conseils d’administration. Est-ce bon ou mauvais ? La vision à court terme des activistes peut être néfaste, mais toutes leurs actions ne sont pas négatives, notamment parce qu’ils s’intéressent souvent à des entreprises qui ont besoin d’un redressement sous une forme ou une autre. Pour bien des gens, les fonds activistes sont une façon d’améliorer la gouvernance. Le débat demeure ouvert. Le débat est toujours ouvert, mais force est de constater que l’actionnariat activiste est en pleine croissance partout dans le monde. Les effets souvent décriés des activistes sont de plus en plus acceptés comme bénéfiques dans plusieurs situations de gestion déficiente.
  5. La recherche de compétences clés deviendra la norme. De plus en plus, les organisations chercheront à augmenter la qualité de leur conseil en recrutant des administrateurs aux expertises précises, qui sont des atouts dans certains domaines ou secteurs névralgiques. Cette tendance est très nette. Les CA cherchent à recruter des membres aux expertises complémentaires.
  6. Les règles de bonne gouvernance vont s’étendre à plus d’entreprises. Les grands principes de la gouvernance sont les mêmes, peu importe le type d’organisation, de la PME à la société ouverte (ou cotée), en passant par les sociétés d’État, les organismes à but non lucratif et les entreprises familiales. Ici également, l’application des grands principes de gouvernance se généralise et s’applique à tous les types d’organisation, en les adaptant au contexte.
  7. Le rôle du président du conseil sera davantage valorisé. La tendance veut que deux personnes distinctes occupent les postes de président du conseil et de PDG, au lieu qu’une seule personne cumule les deux, comme c’est encore trop souvent le cas. Un bon conseil a besoin d’un solide leader, indépendant du PDG. Le rôle du Chairman est de plus en plus mis en évidence, car c’est lui qui représente le conseil auprès des différents publics. Il est de plus en plus indépendant de la direction. Les É.U. sont plus lents à adopter la séparation des fonctions entre Chairman et CEO.
  8. La diversité deviendra incontournable. Même s’il y a un plus grand nombre de femmes au sein des conseils, le déficit est encore énorme. Pourtant, certaines études montrent que les entreprises qui font une place aux femmes au sein de leur conseil sont plus rentables. Et la diversité doit s’étendre à d’autres origines culturelles, à des gens de tous âges et d’horizons divers. La diversité dans la composition des conseils d’administration est de plus en plus la norme. On a fait des progrès remarquables à ce chapitre, mais la tendance à la diminution de la taille des CA ralentit quelque peu l’accession des femmes aux postes d’administratrices.
  9. Le rôle stratégique du conseil dans l’entreprise s’imposera. Le temps où les CA ne faisaient qu’approuver les orientations stratégiques définies par la direction est révolu. Désormais, l’élaboration du plan stratégique de l’entreprise doit se faire en collaboration avec le conseil, en profitant de son expertise. Certes, l’un des rôles les plus importants des administrateurs est de voir à l’orientation de l’entreprise, en apportant une valeur ajoutée aux stratégies élaborées par la direction. Les CA sont toujours sollicités, sous une forme ou une autre, dans la conception de la stratégie.
  10. La réglementation continuera de se raffermir. Le resserrement des règles qui encadrent la gouvernance ne fait que commencer. Selon Jacques Grisé, il faut s’attendre à ce que les autorités réglementaires exercent une surveillance accrue partout dans le monde, y compris au Québec, avec l’Autorité des marchés financiers. En conséquence, les conseils doivent se plier aux règles, notamment en ce qui concerne la rémunération et la divulgation. Les responsabilités des comités au sein du conseil prendront de l’importance. Les conseils doivent mettre en place des politiques claires en ce qui concerne la gouvernance. Les conseils d’administration accordent une attention accrue à la gouvernance par l’intermédiaire de leur comité de gouvernance, mais aussi par leurs comités de RH et d’Audit. Les autorités réglementaires mondiales sont de plus en plus vigilantes eu égard à l’application des principes de saine gouvernance. La SEC, qui donnait souvent le ton dans ce domaine, est en mode révision de la réglementation parce que le gouvernement de Trump la juge trop contraignante pour les entreprises. À suivre !
  11. La composition des conseils d’administration s’adaptera aux nouvelles exigences et se transformera. Les CA seront plus petits, ce qui réduira le rôle prépondérant du comité exécutif, en donnant plus de pouvoir à tous les administrateurs. Ceux-ci seront mieux choisis et formés, plus indépendants, mieux rémunérés et plus redevables de leur gestion aux diverses parties prenantes. Les administrateurs auront davantage de responsabilités et seront plus engagés dans les comités aux fonctions plus stratégiques. Leur responsabilité légale s’élargira en même temps que leurs tâches gagnent en importance. Il faudra donc des membres plus engagés, un conseil plus diversifié, dirigé par un leader plus fort. C’est la voie que les CA ont empruntée. La taille des CA est de plus en plus réduite ; les conseils exécutifs sont en voie de disparition pour faire plus de place aux trois comités statutaires : Gouvernance, Ressources Humaines et Audit. Les administrateurs sont de plus en plus engagés et ils doivent investir plus de temps dans leurs fonctions.
  12. L’évaluation de la performance des conseils d’administration deviendra la norme. La tendance est déjà bien ancrée aux États-Unis, où les entreprises engagent souvent des firmes externes pour mener cette évaluation. Certaines choisissent l’auto-évaluation. Dans tous les cas, le processus est ouvert et si les résultats restent confidentiels, ils contribuent à l’amélioration de l’efficacité des conseils d’administration. Effectivement, l’évaluation de la performance des conseils d’administration est devenue une pratique quasi universelle dans les entreprises cotées. Celles-ci doivent d’ailleurs divulguer le processus dans le rapport aux actionnaires. On assiste à un énorme changement depuis les dix dernières années.

 

À ces 12 tendances, il faudrait en ajouter deux autres qui se sont révélées cruciales pour les conseils d’administration depuis quelques années :

(1) la mise en œuvre d’une politique de gestion des risques, l’identification des risques, l’évaluation des facteurs de risque eu égard à leur probabilité d’occurrence et d’impact sur l’organisation, le suivi effectué par le comité d’audit et par l’auditeur interne.

(2) le renforcement des ressources du conseil par l’ajout de compétences liées à la cybersécurité. La sécurité des données est l’un des plus grands risques des entreprises.

 

Aspects fondamentaux à considérer par les administrateurs dans la gouvernance des organisations

 

 

Récemment, je suis intervenu auprès du conseil d’administration d’une OBNL et j’ai animé une discussion tournant autour des thèmes suivants en affirmant certains principes de gouvernance que je pense être incontournables.

Vous serez certainement intéressé par les propositions suivantes :

(1) Le conseil d’administration est souverain — il est l’ultime organe décisionnel.

(2) Le rôle des administrateurs est d’assurer la saine gestion de l’organisation en fonction d’objectifs établis. L’administrateur a un rôle de fiduciaire, non seulement envers les membres qui les ont élus, mais aussi envers les parties prenantes de toute l’organisation. Son rôle comporte des devoirs et des responsabilités envers celle-ci.

(3) Les administrateurs ont un devoir de surveillance et de diligence ; ils doivent cependant s’assurer de ne pas s’immiscer dans la gestion de l’organisation (« nose in, fingers out »).

(4) Les administrateurs élus par l’assemblée générale ne sont pas porteurs des intérêts propres à leur groupe ; ce sont les intérêts supérieurs de l’organisation qui priment.

(5) Le président du conseil est le chef d’orchestre du groupe d’administrateurs ; il doit être en étroite relation avec le premier dirigeant et bien comprendre les coulisses du pouvoir.

(6) Les membres du conseil doivent entretenir des relations de collaboration et de respect entre eux ; ils doivent viser les consensus et exprimer leur solidarité, notamment par la confidentialité des échanges.

(7) Les administrateurs doivent être bien préparés pour les réunions du conseil et ils doivent poser les bonnes questions afin de bien comprendre les enjeux et de décider en toute indépendance d’esprit. Pour ce faire, ils peuvent tirer profit de l’avis d’experts indépendants.

(8) La composition du conseil devrait refléter la diversité de l’organisation. On doit privilégier l’expertise, la connaissance de l’industrie et la complémentarité.

(9) Le conseil d’administration doit accorder toute son attention aux orientations stratégiques de l’organisation et passer le plus clair de son temps dans un rôle de conseil stratégique.

(10) Chaque réunion devrait se conclure par un huis clos, systématiquement inscrit à l’ordre du jour de toutes les rencontres.

(11) Le président du CA doit procéder à l’évaluation du fonctionnement et de la dynamique du conseil.

(12) Les administrateurs doivent prévoir des activités de formation en gouvernance et en éthique.

 

Voici enfin une documentation utile pour bien appréhender les grandes tendances qui se dégagent dans le monde de la gouvernance aux É.U., au Canada et en France.

 

  1. La gouvernance relative aux sociétés en 2017 | Un « Survey » des entreprises du SV 150 et de la S&P 100
  2. Principales tendances en gouvernance à l’échelle internationale en 2017
  3. Séparation des fonctions de PDG et de président du conseil d’administration | Signe de saine gouvernance !
  4. Six mesures pour améliorer la gouvernance des organismes publics au Québec | Yvan Allaire
  5. Cadre de référence pour évaluer la gouvernance des sociétés | Questionnaire de 100 items
  6. La gouvernance française suit-elle la tendance mondiale ?
  7. Enquête mondiale sur les conseils d’administration et la gouvernance

 

Mesures à prendre en matière de contrôle interne afin d’éviter les fraudes de cybersécurité


Voici un article qui met l’accent sur les mesures à prendre en matière de contrôle interne afin d’éviter les fraudes de cybersécurité.

Les auteurs, Keith Higgins*et Marvin Tagabanis exposent les résultats de leurs recherches dans un billet publié sur le site de  Havard Law School Forum.

Les fraudes dont il est question concernent neuf entreprises qui ont été la cible des arnaques par l’utilisation de courriels.

The nine defrauded companies lost a total of nearly $100 million as a result of the email scams. The companies operated in different business sectors including technology, machinery, real estate, energy, financial, and consumer goods, which the Report suggests “reflect[s] the reality that every type of business is a potential target of cyber-related fraud.” The Report also highlighted the significant economic harm posed by “business email compromises” more broadly, which, based on FBI estimates, has caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017—the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.

Les auteurs notent que les escroqueries par le biais des courriels étaient principalement de deux types :

(1) Courriels envoyés par de faux dirigeants ;

(2) Courriels envoyés par de faux vendeurs.

Les auteurs présentent les implications du contrôle interne pour minimiser ces fraudes.

Bonne lecture !

 

Implementing Internal Controls in Cyberspace—Old Wine, New Skins

 

Résultats de recherche d'images pour « contrôle interne et cybersécurité »

 

On October 16, 2018, the SEC issued a Section 21(a) investigative report (the “Report”), [1]cautioning public companies to consider cyber threats when designing and implementing internal accounting controls. The Report arose out of an investigation focused on the internal accounting controls of nine public companies that were victims of “business email compromises” in which perpetrators posed as company executives or vendors and used emails to dupe company personnel into sending large sums to bank accounts controlled by the perpetrators. In the investigation, the SEC considered whether the companies had complied with the internal accounting controls provisions of the federal securities laws. Although the Report is in lieu of an enforcement action against any of the issuers, the SEC issued the Report to draw attention to the prevalence of these cyber-related scams and as a reminder that all public companies should consider cyber-related threats when devising and maintaining a system of internal accounting controls.

The nine defrauded companies lost a total of nearly $100 million as a result of the email scams. The companies operated in different business sectors including technology, machinery, real estate, energy, financial, and consumer goods, which the Report suggests “reflect[s] the reality that every type of business is a potential target of cyber-related fraud.” The Report also highlighted the significant economic harm posed by “business email compromises” more broadly, which, based on FBI estimates, has caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017—the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.

Two types of email scams were employed against the nine companies: (i) emails from fake executives, and (ii) emails from fake vendors.

Emails from Fake Executives. In the first type of scam, perpetrators emailed company finance personnel using spoofed email domains and addresses of an executive (typically the CEO) so that it appeared as if the email were legitimate. The spoofed email directed the employees to work with a purported outside attorney identified in the email, who then directed them to wire large payments to foreign bank accounts controlled by the perpetrators. Common elements among each of these schemes included: (1) the transactions or “deals” were time-sensitive and confidential; (2) the requested funds needed to be sent to foreign banks and beneficiaries in connection with foreign deals or acquisitions; and (3) the spoofed emails typically were sent to midlevel personnel, who were not generally responsible or involved in the deals and rarely communicated with the executives being spoofed.

Emails from Fake Vendors. The second type of scam was more technologically sophisticated than the spoofed executive emails because the schemes typically involved the perpetrators hacking into the email accounts of the companies’ foreign vendors. The perpetrators then requested that the vendors’ banking information be changed so that a company’s payments on outstanding invoices for legitimate transactions were sent to foreign accounts controlled by the perpetrators rather than the real vendors. The Report noted that some spoofed vendor email scams went undetected for an extended period of time because vendors often afforded companies months before considering a payment delinquent.

Considerations for Public Companies

In the Report, the SEC advises public companies to “pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.” Finance and accounting personnel at public companies should be aware that the above-described cyber-related scams exist, and these types of scams should be considered when implementing internal accounting controls.

Although the “cyber” aspect of these scams helps to make them a topic du jour, fake invoices are certainly no recent invention, nor are vendor requests to direct payments to a new address something that is unique to the email era. If the result of the Report is to cause companies to liberally insert “cyber” references into their internal controls, and little more, it will not have accomplished its objective. SEC Enforcement staff observed that the cyber-related frauds succeeded, at least in part, because the responsible personnel at the companies did not sufficiently understand the company’s existing controls or did not recognize indications in the emailed instructions that those communications lacked reliability. For example, in one matter, the accounting employee who received the spoofed email did not follow the company’s dual-authorization requirement for wire payments, directing unqualified subordinates to sign-off on the wires. In another case, the accounting employee misinterpreted the company’s authorization matrix as giving him approval authority at a level reserved for the CFO.

Scams will always be with us, and the Report recognizes that the effectiveness of internal accounting control systems largely depends on having trained personnel to implement, maintain, and follow such controls. Public companies should also consider the following points raised by the actions taken by the defrauded companies following the cyber-related scams:

Review and enhance payment authorization procedures, verification requirements for vendor information changes, account reconciliation procedures and outgoing payment notification processes, particularly to foreign jurisdictions.

Evaluate whether finance and accounting personnel are adequately trained on relevant cyber-related threats and provide additional training on any new policies and procedures implemented as a result of the above step.

The Report confirms that the SEC remains focused on cybersecurity matters and companies should continue to be vigilant against cyber threats. While the SEC stated that it was “not suggesting that every issuer that is the victim of a cyber-related scam is . . . in violation of the internal accounting controls requirements of the federal securities laws,” the Report also noted that “[h]aving internal accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets.”

_________________________________________________

Endnotes

1Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, Exchange Act Release No. 84429 (Oct. 16, 2018) (available here).(go back)

*Keith Higgins is chair of the securities and governance practice and Marvin Tagaban is an associate at Ropes & Gray LLP. This post is based on their Ropes & Gray memorandum.

Quelles tendances en gouvernance, identifiées en 2014, se sont avérées au 20 octobre 2018


Dans un premier temps, j’ai tenté de répondre à cette question en renvoyant le lecteur à deux publications que j’ai faites sur le sujet. C’est du genre check-list !

Puis, dans un deuxième temps, je vous invite à consulter les documents suivants qui me semblent très pertinents pour répondre à la question. Il s’agit en quelque sorte d’une revue de la littérature sur le sujet.

  1. La gouvernance relative aux sociétés en 2017 | Un « Survey » des entreprises du SV 150 et de la S&P 100
  2. Principales tendances en gouvernance à l’échelle internationale en 2017
  3. Séparation des fonctions de PDG et de président du conseil d’administration | Signe de saine gouvernance !
  4. Six mesures pour améliorer la gouvernance des organismes publics au Québec | Yvan Allaire
  5. Cadre de référence pour évaluer la gouvernance des sociétés | Questionnaire de 100 items
  6. La gouvernance française suit-elle la tendance mondiale ?
  7. Enquête mondiale sur les conseils d’administration et la gouvernance

 

J’espère que ces commentaires vous seront utiles, même si mon intervention est colorée par la situation canadienne et américaine !

Bonne lecture !

 

Résultats de recherche d'images pour « tendances en gouvernance »

 

Gouvernance : 12 tendances à surveiller

 

J’ai réalisé une entrevue avec le Journal des Affaires le 17 mars 2014. Une rédactrice au sein de l’Hebdo des AG, un média numérique qui se consacre au traitement des sujets touchant à la gouvernance des entreprises françaises, m’a contacté afin de connaître mon opinion sur quelles « prédictions » se sont effectivement avérées, et lesquelles restent encore à améliorer.

J’ai préparé quelques réflexions en référence aux douze tendances que j’avais identifiées le 17 mars 2014. J’ai donc revisité les tendances afin de vérifier comment la situation avait évolué en quatre ans. J’ai indiqué en rouge mon point de vue eu égard à ces tendances.

 « Si la gouvernance des entreprises a fait beaucoup de chemin depuis quelques années, son évolution se poursuit. Afin d’imaginer la direction qu’elle prendra au cours des prochaines années, nous avons consulté l’expert en gouvernance Jacques Grisé, ex- directeur des programmes du Collège des administrateurs de sociétés, de l’Université Laval. Toujours affilié au Collège, M. Grisé publie depuis plusieurs années le blogue www.jacquesgrisegouvernance.com, un site incontournable pour rester à l’affût des bonnes pratiques et tendances en gouvernance. Voici les 12 tendances dont il faut suivre l’évolution, selon Jacques Grisé »

 

  1. Les conseils d’administration réaffirmeront leur autorité. « Auparavant, la gouvernance était une affaire qui concernait davantage le management », explique M. Grisé. La professionnalisation de la fonction d’administrateur amène une modification et un élargissement du rôle et des responsabilités des conseils. Les CA sont de plus en plus sollicités et questionnés au sujet de leurs décisions et de l’entreprise. Cette affirmation est de plus en plus vraie. La formation certifiée en gouvernance est de plus en plus prisée. Les CA, et notamment les présidents de CA, sont de plus en plus sollicités pour expliquer leurs décisions, leurs erreurs et les problèmes de gestion de crise.
  2. La formation des administrateurs prendra de l’importance. À l’avenir, on exigera toujours plus des administrateurs. C’est pourquoi la formation est essentielle et devient même une exigence pour certains organismes. De plus, la formation continue se généralise ; elle devient plus formelle. Il va de soi que la formation en gouvernance prendra plus d’importance, mais les compétences et les expériences reliées au secteur d’activité de l’entreprise seront toujours très recherchées.
  3. L’affirmation du droit des actionnaires et celle du rôle du conseil s’imposeront. Le débat autour du droit des actionnaires par rapport à celui des conseils d’administration devra mener à une compréhension de ces droits conflictuels. Aujourd’hui, les conseils doivent tenir compte des parties prenantes en tout temps. Il existe toujours une situation potentiellement conflictuelle entre les intérêts des actionnaires et la responsabilité des administrateurs envers toutes les parties prenantes.
  4. La montée des investisseurs activistes se poursuivra. L’arrivée de l’activisme apporte une nouvelle dimension au travail des administrateurs. Les investisseurs activistes s’adressent directement aux actionnaires, ce qui mine l’autorité des conseils d’administration. Est-ce bon ou mauvais ? La vision à court terme des activistes peut être néfaste, mais toutes leurs actions ne sont pas négatives, notamment parce qu’ils s’intéressent souvent à des entreprises qui ont besoin d’un redressement sous une forme ou une autre. Pour bien des gens, les fonds activistes sont une façon d’améliorer la gouvernance. Le débat demeure ouvert. Le débat est toujours ouvert, mais force est de constater que l’actionnariat activiste est en pleine croissance partout dans le monde. Les effets souvent décriés des activistes sont de plus en plus acceptés comme bénéfiques dans plusieurs situations de gestion déficiente.
  5. La recherche de compétences clés deviendra la norme. De plus en plus, les organisations chercheront à augmenter la qualité de leur conseil en recrutant des administrateurs aux expertises précises, qui sont des atouts dans certains domaines ou secteurs névralgiques. Cette tendance est très nette. Les CA cherchent à recruter des membres aux expertises complémentaires.
  6. Les règles de bonne gouvernance vont s’étendre à plus d’entreprises. Les grands principes de la gouvernance sont les mêmes, peu importe le type d’organisation, de la PME à la société ouverte (ou cotée), en passant par les sociétés d’État, les organismes à but non lucratif et les entreprises familiales. Ici également, l’application des grands principes de gouvernance se généralise et s’applique à tous les types d’organisation, en les adaptant au contexte.
  7. Le rôle du président du conseil sera davantage valorisé. La tendance veut que deux personnes distinctes occupent les postes de président du conseil et de PDG, au lieu qu’une seule personne cumule les deux, comme c’est encore trop souvent le cas. Un bon conseil a besoin d’un solide leader, indépendant du PDG. Le rôle du Chairman est de plus en plus mis en évidence, car c’est lui qui représente le conseil auprès des différents publics. Il est de plus en plus indépendant de la direction. Les É.U. sont plus lents à adopter la séparation des fonctions entre Chairman et CEO.
  8. La diversité deviendra incontournable. Même s’il y a un plus grand nombre de femmes au sein des conseils, le déficit est encore énorme. Pourtant, certaines études montrent que les entreprises qui font une place aux femmes au sein de leur conseil sont plus rentables. Et la diversité doit s’étendre à d’autres origines culturelles, à des gens de tous âges et d’horizons divers. La diversité dans la composition des conseils d’administration est de plus en plus la norme. On a fait des progrès remarquables à ce chapitre, mais la tendance à la diminution de la taille des CA ralentit quelque peu l’accession des femmes aux postes d’administratrices.
  9. Le rôle stratégique du conseil dans l’entreprise s’imposera. Le temps où les CA ne faisaient qu’approuver les orientations stratégiques définies par la direction est révolu. Désormais, l’élaboration du plan stratégique de l’entreprise doit se faire en collaboration avec le conseil, en profitant de son expertise. Certes, l’un des rôles les plus importants des administrateurs est de voir à l’orientation de l’entreprise, en apportant une valeur ajoutée aux stratégies élaborées par la direction. Les CA sont toujours sollicités, sous une forme ou une autre, dans la conception de la stratégie.
  10. La réglementation continuera de se raffermir. Le resserrement des règles qui encadrent la gouvernance ne fait que commencer. Selon Jacques Grisé, il faut s’attendre à ce que les autorités réglementaires exercent une surveillance accrue partout dans le monde, y compris au Québec, avec l’Autorité des marchés financiers. En conséquence, les conseils doivent se plier aux règles, notamment en ce qui concerne la rémunération et la divulgation. Les responsabilités des comités au sein du conseil prendront de l’importance. Les conseils doivent mettre en place des politiques claires en ce qui concerne la gouvernance. Les conseils d’administration accordent une attention accrue à la gouvernance par l’intermédiaire de leur comité de gouvernance, mais aussi par leurs comités de RH et d’Audit. Les autorités réglementaires mondiales sont de plus en plus vigilantes eu égard à l’application des principes de saine gouvernance. La SEC, qui donnait souvent le ton dans ce domaine, est en mode révision de la réglementation parce que le gouvernement de Trump la juge trop contraignante pour les entreprises. À suivre !
  11. La composition des conseils d’administration s’adaptera aux nouvelles exigences et se transformera. Les CA seront plus petits, ce qui réduira le rôle prépondérant du comité exécutif, en donnant plus de pouvoir à tous les administrateurs. Ceux-ci seront mieux choisis et formés, plus indépendants, mieux rémunérés et plus redevables de leur gestion aux diverses parties prenantes. Les administrateurs auront davantage de responsabilités et seront plus engagés dans les comités aux fonctions plus stratégiques. Leur responsabilité légale s’élargira en même temps que leurs tâches gagnent en importance. Il faudra donc des membres plus engagés, un conseil plus diversifié, dirigé par un leader plus fort. C’est la voie que les CA ont empruntée. La taille des CA est de plus en plus réduite ; les conseils exécutifs sont en voie de disparition pour faire plus de place aux trois comités statutaires : Gouvernance, Ressources Humaines et Audit. Les administrateurs sont de plus en plus engagés et ils doivent investir plus de temps dans leurs fonctions.
  12. L’évaluation de la performance des conseils d’administration deviendra la norme. La tendance est déjà bien ancrée aux États-Unis, où les entreprises engagent souvent des firmes externes pour mener cette évaluation. Certaines choisissent l’auto-évaluation. Dans tous les cas, le processus est ouvert et si les résultats restent confidentiels, ils contribuent à l’amélioration de l’efficacité des conseils d’administration. Effectivement, l’évaluation de la performance des conseils d’administration est devenue une pratique quasi universelle dans les entreprises cotées. Celles-ci doivent d’ailleurs divulguer le processus dans le rapport aux actionnaires. On assiste à un énorme changement depuis les dix dernières années.

 

À ces 12 tendances, il faudrait en ajouter deux autres qui se sont révélées cruciales pour les conseils d’administration depuis quelques années :

(1) la mise en œuvre d’une politique de gestion des risques, l’identification des risques, l’évaluation des facteurs de risque eu égard à leur probabilité d’occurrence et d’impact sur l’organisation, le suivi effectué par le comité d’audit et par l’auditeur interne.

(2) le renforcement des ressources du conseil par l’ajout de compétences liées à la cybersécurité. La sécurité des données est l’un des plus grands risques des entreprises.

 

Aspects fondamentaux à considérer par les administrateurs dans la gouvernance des organisations

 

 

Récemment, je suis intervenu auprès du conseil d’administration d’une OBNL et j’ai animé une discussion tournant autour des thèmes suivants en affirmant certains principes de gouvernance que je pense être incontournables.

Vous serez certainement intéressé par les propositions suivantes :

(1) Le conseil d’administration est souverain — il est l’ultime organe décisionnel.

(2) Le rôle des administrateurs est d’assurer la saine gestion de l’organisation en fonction d’objectifs établis. L’administrateur a un rôle de fiduciaire, non seulement envers les membres qui les ont élus, mais aussi envers les parties prenantes de toute l’organisation. Son rôle comporte des devoirs et des responsabilités envers celle-ci.

(3) Les administrateurs ont un devoir de surveillance et de diligence ; ils doivent cependant s’assurer de ne pas s’immiscer dans la gestion de l’organisation (« nose in, fingers out »).

(4) Les administrateurs élus par l’assemblée générale ne sont pas porteurs des intérêts propres à leur groupe ; ce sont les intérêts supérieurs de l’organisation qui priment.

(5) Le président du conseil est le chef d’orchestre du groupe d’administrateurs ; il doit être en étroite relation avec le premier dirigeant et bien comprendre les coulisses du pouvoir.

(6) Les membres du conseil doivent entretenir des relations de collaboration et de respect entre eux ; ils doivent viser les consensus et exprimer leur solidarité, notamment par la confidentialité des échanges.

(7) Les administrateurs doivent être bien préparés pour les réunions du conseil et ils doivent poser les bonnes questions afin de bien comprendre les enjeux et de décider en toute indépendance d’esprit. Pour ce faire, ils peuvent tirer profit de l’avis d’experts indépendants.

(8) La composition du conseil devrait refléter la diversité de l’organisation. On doit privilégier l’expertise, la connaissance de l’industrie et la complémentarité.

(9) Le conseil d’administration doit accorder toute son attention aux orientations stratégiques de l’organisation et passer le plus clair de son temps dans un rôle de conseil stratégique.

(10) Chaque réunion devrait se conclure par un huis clos, systématiquement inscrit à l’ordre du jour de toutes les rencontres.

(11) Le président du CA doit procéder à l’évaluation du fonctionnement et de la dynamique du conseil.

(12) Les administrateurs doivent prévoir des activités de formation en gouvernance et en éthique.

 

Voici enfin une documentation utile pour bien appréhender les grandes tendances qui se dégagent dans le monde de la gouvernance aux É.U., au Canada et en France.

 

  1. La gouvernance relative aux sociétés en 2017 | Un « Survey » des entreprises du SV 150 et de la S&P 100
  2. Principales tendances en gouvernance à l’échelle internationale en 2017
  3. Séparation des fonctions de PDG et de président du conseil d’administration | Signe de saine gouvernance !
  4. Six mesures pour améliorer la gouvernance des organismes publics au Québec | Yvan Allaire
  5. Cadre de référence pour évaluer la gouvernance des sociétés | Questionnaire de 100 items
  6. La gouvernance française suit-elle la tendance mondiale ?
  7. Enquête mondiale sur les conseils d’administration et la gouvernance

 

En quoi une formation en gouvernance des TI est-elle essentielle ?


Plusieurs personnes me demandent s’il existe une formation en gouvernance des TI à l’intention de membres de conseils d’administration et des hauts dirigeants.

Le Collège des administrateurs de sociétés (CAS) offre une formation ciblée d’une journée en gouvernance des TI, même si vous n’êtes pas un spécialiste en la matière.

Bon nombre d’administrateurs se sentent démunis et mal à l’aise lorsque vient le temps de discuter des dossiers de TI au conseil d’administration et de prendre des décisions importantes et stratégiques pour l’entreprise.
Cette formation d’une journée en gouvernance des TI vous donnera des assises solides pour comprendre et bien jouer votre rôle, et ce même si vous n’êtes pas un spécialiste en la matière.

Paule-Anne Morin, ASC, consultante, administratrice de sociétés et formatrice a conçu une formation spécialisée de haut niveau pour combler ce grand besoin.

 

 

Thèmes abordés lors de la journée

 

Gouvernance des TI : pourquoi faut-il s’y intéresser ?

Tremplin stratégique dans la performance des organisations : des outils concrets

Enjeux numériques et gestion de risques

Outils de mesure et de performance TI

CA et gouvernance des TI : rôle, structure et conditions de succès

Profil des participants

 

– Membres de conseils d’administration

– Hauts dirigeants

– Gestionnaires

– Investisseurs

 

Prochaines sessions de formation

 

23 octobre 2018 — Québec

De 8 h à 18 h
Édifice Price
65, rue Sainte-Anne
11e étage Québec (Québec)  G1R 3X5

 

28 mars 2019 — Montréal

De 8 h à 18 h
Centre de conférence Le 1000
Niveau Mezzanine
1000, rue De La Gauchetière Ouest
Montréal (Québec)  H3B 4W5

 

Inscrivez-vous ici

 

 


Information

Consultez la page Gouvernance des TI sur le site du CAS pour obtenir tous les détails.

Reconnaissance professionnelle

Cette formation, d’une durée de 7,5 heures, est reconnue aux fins des règlements ou des politiques de formation continue obligatoire du Collège et des ordres et organismes professionnels suivants : Barreau du Québec, Ordre des ADMA du Québec, Ordre des CPA du Québec, Ordre des CRHA et Association des MBA du Québec.

Les enjeux de la diffusion des informations stratégiques sur les réseaux sociaux


Ce matin un article de Alissa Amico*, paru sur le forum de Harvard Law School, a attiré mon attention parce que c’est sur un sujet qui fait couler beaucoup d’encre dans le domaine la gouvernance des entreprises publiques (cotées en bourse).

En effet, quels sont les moyens appropriés de diffusion et de divulgation des informations à l’ère des médias sociaux ? L’auteure fait le tour de la question en rappelant qu’il existe encore beaucoup d’ambiguïté dans l’acceptation des nouveaux outils de communication.

On le sait, la SEC a réagi promptement aux annonces de Elon Musk, PDG et Chairman de Telsa, faites par le biais de Twitter qui ont été jugées trompeuses et qui ne respectaient pas le principe d’une diffusion de l’information à la portée de tous les actionnaires.

L’auteure rappelle que l’Autorité des Marchés Financiers français a pris une position ferme à ce propos en exigeant que les entreprises divulguent leurs réseaux sociaux privilégiés de communication sur leur site Internet.

La conclusion de l’article est révélatrice de grands changements à l’égard de la diffusion d’information stratégique.

The ultimate twist of irony is of course that the SEC, investigating Tesla and its CEO, is part of the same government whose President’s tweeting activity has been far from uncontroversial. Both Mr. Musk’s and Mr. Trump’s use of Twitter highlight that—whether we like it or not—social media may soon be the most consulted sort of media. Its impact, in both corporate or political circles, needs hence to be considered by policymakers seriously. It is clear that every boat—whether corporate or political—needs a captain responsible for setting the course and communicating it to the lighthouse to avoid collisions and confusion at sea. Yet, captains are not pirates, and in the era of social media, regulators need to devise new rules of the game to avoid investor collusion and collision.

Qu’en pensez-vous ?

Bonne lecture !

 

On Elon Musk, Donald Trump, and Corporate Governance

 

 

Résultats de recherche d'images pour « Elon Musk SEC »
SEC sues Tesla CEO Elon Musk for ‘misleading’ tweet »- ABC News

 

There was something Trumpian in Elon Musk’s tweet about taking Tesla private. “Am considering taking Tesla private at $420. Funding secured”, he boldly and succinctly announced on August 7, claiming that the necessary capital has been confirmed from the Public Investment Fund (PIF), the Saudi sovereign fund that is seeking to become the region’s largest according to the ambitions of its government, including through the much-debated public offering of Saudi Aramco.

Like in a Mexican soap opera, news about the PIF raising fresh capital through the transfer of its 70% stake in SABIC, the Saudi $100 billion petrochemicals giant and the largest listed company in the Kingdom to Saudi Aramco, as well its talks with Tesla’s rival Lucid followed shortly, immediately highlighting the perils of instant communication. As it turns out, tweeting 280-character messages is straightforward, explaining them takes a little more character and significantly more characters.

The Securities and Exchange Commission (SEC) has reacted promptly, issuing a subpoena to Tesla to probe into the accuracy of its communication to investors. Elon Musk is unfortunately not the first CEO to pay for taking to Twitter. Nestle’s attempt at humor on Twitter, which likened a massacre of Mexican students to its candy bar, resulted in calls for boycott, ultimately forcing the company to erase the message and apologize. Even the CEO of Twitter itself, Jack Dorsey, has had to apologize for one of his personal tweets, which unlike Tesla and Nestle cases, had nothing to do with his company.

Indeed, the emergence of new communication channels has occurred at a faster pace than regulation on how these should be employed by companies has emerged, whilst over-excited executives have taken to social media in attempt to build hype around their companies. In the world where the number of Instagram, Twitter and Facebook followers counts more than the number of public investors, social media has the potential of becoming the main channel for communication in the corporate world.

Although this phenomenon has gone largely unnoticed, its implications need to be considered in a wider context that is beyond this immediate Bermuda Triangle involving Mr. Musk, the PIF and Tesla. In fact, this episode raises two important and distinct questions: first, who should be able to speak on behalf of public shareholding companies in order to ensure the accuracy of communication, and second, how should this communication be made such that it reaches its ultimate target, the investor community.

In developed markets such as the United States, where Tesla is incorporated, disclosure by public companies is subject to a myriad of regulations including Rule 10b-5—first issued 70 years ago—which prohibits the release or omission of material information, resulting in fraud or deceit. It is also subject to a more recent Fair Disclosure Regulation which essentially forbids companies from releasing non-public material information to third parties, effectively stamping out the practice of selective disclosure by companies to specific investors.

These regulations provide the colorful context behind the SEC’s investigation into Mr. Musk’s unfortunate tweet, allowing the regulator to question whether he had misled investors: that is, whether funding for taking Tesla private has indeed been “secured”. Another issue—and one not raised in the media—is whether Twitter can effectively be considered as an appropriate means of communication to the investor community. In the United States, where 70% of public share ownership today is in the hands of institutional investors, this is a moot point.

Indeed, the SEC has officially allowed listed companies to use social media in 2013, prompted by an investigation into a Facebook post by the Netflix CEO Reed Hastings about the company passing a billion hours watched for the first time. The SEC did not penalize him and decided that henceforth social media could be used for communicating corporate announcements as long as investors are warned that this would be the case.

In the context of emerging markets however, this position would be potentially quite dangerous. In Saudi Arabia for example, home to the PIF—Tesla’s alleged buyer—trading in the stock market is 90% retail, whereas its underlying ownership is largely institutional. Communicating company news via social media presupposes that all investors have equal access to it, which may not necessarily be the case in retail marketplaces. Regulators in emerging markets, where guidelines on the use of social media for corporate announcements are generally lacking, would do well to address this before executives take to Twitter and Facebook.

They would need to keep in mind however, that habits of emerging market investors may not have shifted fast enough to be comfortable in the world of Twitter. In Egypt for example, the officially recognised channel for publishing financial results remains the country’s newspapers. Expecting investors to run from conventional—not to say outdated—means of communication, to judiciously tracking social media announcements appears overly ambitious.

Using social media as a means of communicating material corporate news raises another non-semantic point which is equally important to address in both emerging and developed markets. It is not only tweets of CEOs like Elon Musk that have the potential to affect share prices and investor perceptions. If CFOs, CROs, CIOs, COOs and other C-suite members take to Twitter, Facebook, Instagram or other platforms to offer their interpretation of company developments, the potential impact on investors could be quite disheartening.

Just like the CEO’s or the CFO’s ability to write a cheque is circumscribed by internal controls and board oversight of material transactions related to mergers and acquisitions for instance, their ability to speak on behalf of their companies should be addressed by policies including specific approval processes. This would effectively limit the possibility of senior executives or board members using their iPhone as a Megaphone, instead requiring rigorous processes to be introduced such that social media announcements are coherent with other disclosure channels and indeed with corporate strategy.

From a governance perspective, further thought should be given to centralizing the communication function within companies in the hands of the Head of Investor Relations or equivalent. Indeed, given the value of information in our era of fast-paced communication powered by social media and fast-paced stock exchanges powered by algorithmic and high-frequency trading, the role of a Chief Communication Officer may be justified in large publicly listed companies, just as the role of a Chief Risk Officer reporting to the board has been introduced in many large organisations following the financial crisis.

While forcing companies in a straightjacket of yet more corporate governance rules on how they should handle their corporate communications may be unwise, some thought about legal distinctions and limits between what is considered personal and corporate announcements appears warranted. Investors may need to be told that unless corporate announcements come from official company channels—which personal Twitter accounts are not—their interpretation of tweets by excited executives are to be made at their own peril, not subject to usual investor protections.

Likewise, publicly-traded companies need to inform the investor community of what constitutes their official communication channels and ensure that financial and non-financial information announced through these is pre-approved, synchronized and not in conflict with existing regulations. Some regulators such as the French securities regulator, Authorité des Marches Financiers, has done so almost 5 years ago, recommending that companies specify their social media accounts on their website as well as establish a charter addressing how executives and staff are to use their personal social media accounts.

The ultimate twist of irony is of course that the SEC, investigating Tesla and its CEO, is part of the same government whose President’s tweeting activity has been far from uncontroversial. Both Mr. Musk’s and Mr. Trump’s use of Twitter highlight that—whether we like it or not—social media may soon be the most consulted sort of media. Its impact, in both corporate or political circles, needs hence to be considered by policymakers seriously. It is clear that every boat—whether corporate or political—needs a captain responsible for setting the course and communicating it to the lighthouse to avoid collisions and confusion at sea. Yet, captains are not pirates, and in the era of social media, regulators need to devise new rules of the game to avoid investor collusion and collision.

 


*Alissa Amico is the Managing Director of GOVERN. This post is based on a GOVERN memorandum by Ms. Amico.

Le futur code de gouvernance du Royaume-Uni


Je vous invite à prendre connaissance du futur code de gouvernance du Royaume-Uni (R.-U.).

À cet effet, voici un billet de Martin Lipton*, paru sur le site de Harvard Law School Forum on Corporate Governance, qui présente un aperçu des points saillants.

Bonne lecture !

 

The Financial Reporting Council today [July 16, 2018] issued a revised corporate governance code and announced that a revised investor stewardship code will be issued before year-end. The code and related materials are available at www.frc.org.uk.

The revised code contains two provisions that will be of great interest. They will undoubtedly be relied upon in efforts to update the various U.S. corporate governance codes. They will also be used to further the efforts to expand the sustainability and stakeholder concerns of U.S. boards.

First, the introduction to the code makes note that shareholder primacy needs to be moderated and that the concept of the “purpose” of the corporation, as long put forth in the U.K. by Colin Mayer and recently popularized in the U.S. by Larry Fink in his 2018 letter to CEO’s, is the guiding principle for the revised code:

Companies do not exist in isolation. Successful and sustainable businesses underpin our economy and society by providing employment and creating prosperity. To succeed in the long-term, directors and the companies they lead need to build and maintain successful relationships with a wide range of stakeholders. These relationships will be successful and enduring if they are based on respect, trust and mutual benefit. Accordingly, a company’s culture should promote integrity and openness, value diversity and be responsive to the views of shareholders and wider stakeholders.

Second, the code provides that the board is responsible for policies and practices which reinforce a healthy culture and that the board should engage:

with the workforce through one, or a combination, of a director appointed from the workforce, a formal workforce advisory panel and a designated non-executive director, or other arrangements which meet the circumstances of the company and the workforce.

It will be interesting to see how this provision will be implemented and whether it gains any traction in the U.S.

 

 

The UK Corporate Governance Code

 

Résultats de recherche d'images pour « UK Corporate Governance Code 2018 »


Martin Lipton* is a founding partner of Wachtell, Lipton, Rosen & Katz, specializing in mergers and acquisitions and matters affecting corporate policy and strategy. This post is based on a Wachtell Lipton memorandum by Mr. Lipton.

Les CA sont composés de plusieurs comités qui, ensemble, accomplissent l’essentiel des devoirs de fiduciaire


Il est maintenant bien établi que les conseils d’administration comptent au moins trois comités composés de membres du conseil qui se rapportent au CA : le comité d’audit, le comité des ressources humaines et le comité de gouvernance.

Les comités sont, en général, formés d’environ trois membres du conseil ; ils sont présidés par un administrateur et ils se réunissent aussi souvent que le CA lui-même.

Il est évident qu’une grande partie du travail des administrateurs du conseil se fait par l’intermédiaire des comités mis en place par le CA.

L’article ci-dessous, publié par Steve W. Klemash*, Kellie C. et Jamie Smith, provient d’une publication du Centre de la gouvernance EY. Les auteurs présentent les résultats d’une enquête sur les autres comités mis en place par les CA des entreprises du S&P 500, en sus des trois comités statutaires.

Les résultats sont  présentés succinctement dans le document qui suit. Ainsi, il ressort que :

(1) la plupart des autres comités sont les comités exécutifs et les comités des finances

(2) la nature du secteur industriel a une grande importance sur le type de comité additionnel mis en place

(3) les comités sur la gestion des risques et la technologie sont aussi présents dans environ 10 % des cas

(4) la plupart des nouveaux comités sont en lien avec la veille de la cybersécurité, la transformation numérique et les technologies de l’information.

Je vous invite à prendre connaissance des détails dans le résumé ci-dessous.

Bonne lecture !

 

A Fresh Look at Board Committees

 

Résultats de recherche d'images pour « A Fresh Look at Board Committees »

 

 

In this age of innovation and transformation, today’s board members face increasingly complex challenges in overseeing corporate culture, strategy and risk oversight.

The digital revolution has facilitated radical changes in business models and made cybersecurity a strategic business imperative. Intangible assets have become a primary driver of long-term value, making the talent agenda mission-critical. Companies are adapting to changes in the labor market, digitization and automation, and a growing spotlight on corporate values and purpose. And all of this is occurring against a backdrop of rising geopolitical tensions and trade policy challenges.

We have tracked board structures since 2013, examining how S&P 500 companies are using board committee structure to address oversight needs. This post is based on a review of the 418 proxy statements filed as of 15 May 2018. The same set of companies in 2018 and 2013 were examined to provide consistency in the review.

 

Findings

 

Amid sustained and unprecedented change, board committee structures stayed largely the same over the past six years. Across all industries, boards primarily rely on the three “key” committees generally required by the stock exchanges—audit, compensation, and nominating and governance. [1] Bank holding companies (BHCs) of a certain size, whether public or privately held, are required to also have separate risk committees—a “fourth key committee” so to speak. [2] Above and beyond these committees, institutions typically have one additional standing board committee (“additional committee”) (usually an executive or finance committee). During 2013-18, the portion of companies with at least one additional committee grew marginally from 74% to 76%, and the average number of additional committees remained largely consistent.

The most common committees remained the same. More than one-third of S&P 500 companies had an executive or finance committee. Use of executive committees declined slightly from 38% to 36%, while finance committees held steady at around 36%. Other committees were much less common.

Industry matters. Financial, telecommunications and utilities companies average two or more additional committees. Health care, consumer staples, industrials, consumer discretionary and materials average one to two. Energy, real estate and technology companies average less than one.

Few additional committees focus on emerging risk and innovation. Compliance, risk and technology committees grew marginally. In 2018, the overall percentage of S&P 500 companies with these committees remained low at 16%, 11% and 7%, respectively. Other types of committees largely held steady or declined.

A variety of additional committees oversee technology matters. Ten percent of companies assigned oversight of cybersecurity, digital transformation and information technology to an additional committee. These were typically technology, risk or compliance committees.

 

Our perspective

 

Today’s boards are navigating a sustained, highly disruptive and competitive environment. Board agendas have become increasingly packed with complex and evolving oversight topics, and key committee responsibilities have stretched beyond their core purview. Challenging the committee structure as part of the board assessment process may help the board determine the most effective oversight approach based on the company’s unique circumstances.

The ideal board committee structure is appropriate for the company’s specific needs and the board’s unique culture, is forward-looking, and supports the board’s ability to think strategically and comprehensively about key elements of the company business.

 

A closer look at the big banks

 

Large BHCs are unusual in that they are required to have a board- level risk committee. For these firms, other common additional committees included:

Questions for the board to consider

 

Is the board’s committee structure appropriate to forward-looking board priorities and company specific needs?

Is the board size and composition adaptable to changing committee responsibilities as needed based on the company’s evolving oversight needs?

Is the board familiar with how peer companies are addressing board oversight responsibilities?

Do assessments of board effectiveness reveal possible pressure points that might be resolved with changes in committee structure?

As committees assess their own effectiveness and performance, is their capacity, workload and areas of expertise part of that assessment?

As new directors join the board and bring new areas of expertise, does the board consider whether the current committee structure fully leverages those new director skills?

___________________________________________________

Endnotes

1Subject to certain exemptions, companies listed on the NYSE or NASDAQ must have independent audit, compensation and nominating/corporate governance committees. As an alternative to a nominating/corporate governance committee, director nominees may be selected by a majority of the independent directors for NASDAQ-listed companies.(go back)

2The Federal Reserve’s Enhanced Prudential Standards require separate risk committees for large publicly held US bank holding companies with total consolidated assets of \$10 billion or more.(go back)

________________________________________________________________

*Steve W. Klemash is Americas Leader, Kellie C. Huennekens is Associate Director, and Jamie Smith is Associate Director, at the EY Center for Board Matters. This post is based on their EY publication.

Comment un CA peut-il utiliser la technologie pour conserver son avantage concurrentiel ?


Maggie McGhee* a publié un très bon article sur l’importance croissante d’une solide connaissance des administrateurs eu égard aux perspectives offertes par les nouvelles technologies.

C’est la seule façon de s’assurer de développer ou de maintenir un avantage concurrentiel. L’article est paru sur le site de Board Agenda du 5 juillet 2018.

L’utilisation de nouvelles technologies peut varier d’une entreprise à une autre, mais aucune organisation ne peut se priver de questionner son modèle d’affaires afin de tenir compte des changements de paradigme.

L’auteure fait donc un rappel crucial aux administrateurs. De nouvelles compétences sont requises sur le Board !

Je vous invite également à lire un article, en français, sur les 10 nouvelles technologies qui ont marqué l’année 2017.

Enfin, je vous rappelle que cet article peut être traduit en français instantanément (vous n’avez qu’à cliquer sur le premier symbole dans la partie supérieure droite du navigateur Chrome de Google). La traduction est très acceptable pour une bonne compréhension de l’article pour ceux qui ont moins de facilité avec l’anglais.

Bonne lecture !

 

How boards can use technology to retain a competitive edge

 

Knowledge and skills in the boardroom must evolve with the risks and opportunities presented by technology—as well as its associated data—if companies are to remain competitive.

 

Résultats de recherche d'images pour « technologie »

 

For many organisations, embracing technology can be the difference between remaining relevant in their market, and being disrupted by new entrants. It represents a significant, and often the leading, business risk that boards need to address.

At the same time, by being proactive in their approach towards technology, boards may profit from what others see merely as threats. But what skills does the board need in order to provide such effective oversight, while being strategic?

In the need to remain relevant to customers and stakeholders, organisations are recognising that it is essential to adapt and embrace the opportunities that are created. Technology itself is an enabler, but it is never the solution, nor the sole driver.

 

Impact of technology

 

In our report, The Race for Relevance, we consider six technologies that are directly impacting the finance function alone. There are significantly more technologies that impact organisations as a whole.

As customer “stickiness” becomes a key tool in growth, organisations are starting to recognise the value of data created by the technologies that they own. It is an asset that is increasingly important, yet is also vulnerable to attack. Regulatory regimes are changing in order to address this. The upcoming implementation of the General Data Protection Regulation (GDPR) in May 2018, which focuses on personal data held in the EU, is one such example.

For many organisations, technology and the data generated by it present a significant business opportunity and risk—one which deserves appropriate board-level attention. So what role should the board play in assessing the use of technology and data?

 

Insight and guidance

 

The board needs to have the capability to provide insight and guidance in a number of areas. First, in the role of technology to deliver the business strategy, and whether advantage is being taken of emerging technologies.

Then there is the appraisal of technology investments, whether they are to support growth and commercial advantage, or to protect assets.

Boards must also evaluate the data strategy of the organisation by assessing whether the financial and non-financial data used to report against strategic objectives is appropriate.

Next, the board should consider the appropriateness of the organisation’s strategies to protect existing assets and information from unauthorised access or malicious attack.

They should also appraise whether the assessments of the critically held data are appropriate, and understand how data flows in an organisation comply with legal and regulatory requirements.

Assessing the risks arising from the use of technology, and how these are monitored through the organisation’s enterprise risk-management framework and internal control structures, is also a priority.

Lastly, boards should consider whether appropriate recovery plans are in place to manage the consequences of business disruption—including the management of technology and data assets.

 

The right skills

 

In discharging their responsibilities, boards should ask whether they have the skills within their membership to assess and advise appropriately.

This responsibility can be done in one of two ways. The first is by ensuring that at least one board member has direct experience of technology in the context of the industry in which the organisation operates. Having experience of addressing the risks of projects and protecting assets is invaluable, especially in those sectors where there is a high dependency on technology.

Or as an alternative, it can be done by ensuring the board has access to those with the requisite experience to advise on the risks. These may be internal experts or third parties.

Technology is an issue that cannot be ignored by boards. While not every board member needs to be fully technology-literate, it is important that all members can appreciate where it is used to create and sustain commercial advantage.

Equally, it is important that the board takes the lead in communicating across the organisation the risk and opportunity associated with technology. Without a shared understanding of the organisation’s approach to the use of technology, it will be practically impossible to roll out a consistent approach effectively.

Technology will continue to develop and provide new opportunities. Risks will continue to evolve. Commercial strategies will change as a result.

Boards need to embrace all of this if they are to remain relevant.


Maggie McGhee* is director of professional insights at ACCA (the Association of Chartered Certified Accountants).

Conséquences à la non-divulgation d’une cyberattaque majeure


Quelles sont les conséquences de ne pas divulguer une intrusion importante du système de sécurité informatique ?

Les auteurs, Matthew C. Solomon* et Pamela L. Marcogliese, dans un billet publié sur le forum du HLS, ont étudié de près la situation des manquements à la sécurité informatique de Yahoo et ils nous présentent les conséquences de la non-divulgation d’attaques cybernétiques et de bris à la sécurité des informations des clients.

Ils exposent le cas très clairement, puis ils s’attardent aux modalités des arrangements financiers avec la Securities and Exchange Commission (SEC). 

Comme ce sont des événements susceptibles de se produire de plus en plus, il importe que les entreprises soient bien au fait de ce qui les attend en cas de violation des obligations de divulgation.

Les auteurs font les cinq (5) constats suivants eu égard à la situation vécue par Yahoo :

 

— First, public companies should take seriously the SEC’s repeated warnings that one of its top priorities is ensuring that public companies meet their obligations to adequately disclose material cybersecurity incidents and risks. This requires regular assessment of cyber incidents and risks in light of the company’s disclosures, with the assistance of outside counsel and auditors as appropriate, and ensuring that there are adequate disclosure controls in place for such incidents and risks.

— Second, the SEC’s recently released interpretive guidance on cybersecurity disclosure is an important guidepost for all companies with such disclosure obligations. The guidance specifically cited the fact that the SEC views disclosure that a company is subject to future cybersecurity attacks as inadequate if the company had already suffered such incidents. Notably, the Yahoo settlement specifically faulted the company for this precise inadequacy in its disclosures. Similarly, the recent guidance encouraged companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. The Yahoo settlement also found that the company had inadequate such controls.

— Third, at the same time the SEC announced the settlement, it took care to emphasize that “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure.” [7] The SEC went on to note that Yahoo failed to meet this standard with respect to the 2014 Breach, but by articulating a “good faith” standard the SEC likely meant to send a message to the broader market that it is not seeking to penalize companies that make reasonable efforts to meet their cyber disclosure obligations.

— Fourth, it is also notable that the SEC charges did not include allegations that Yahoo violated securities laws with respect to the 2013 Breach. Yahoo had promptly disclosed the 2013 Breach after learning about it in late 2016, but updated its disclosure almost a year later with significant new information about the scope of the breach. The SEC’s recent guidance indicated that it was mindful that some material facts may not be available at the time of the initial disclosure, as was apparently the case with respect to the 2013 Breach. [8] At the same time, the SEC cautioned that “an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” [9]

— Finally, it is worth noting that the Commission did not insist on settlements with any individuals. Companies, of course, can only commit securities violations through the actions of their employees. While it is not unusual for the Commission to settle entity-only cases on a “collective negligence” theory, the SEC Chair and the Enforcement Division’s leadership have emphasized the need to hold individuals accountable in order to maximize the deterrent impact of SEC actions. [10]

 

Bonne lecture !

 

Failure to Disclose a Cybersecurity Breach

 

 

Résultats de recherche d'images pour « yahoo data breach »

 

 

On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database. The case represents the first time a public company has been charged by the SEC for failing to adequately disclose a cyber breach, an area that is expected to face continued heightened scrutiny as enforcement authorities and the public are increasingly focused on the actions taken by companies in response to such incidents. Altaba’s settlement with the SEC, coming on the heels of its agreement to pay $80 million to civil class action plaintiffs alleging similar disclosure violations, underscores the increasing potential legal exposure for companies based on failing to properly disclose cybersecurity risks and incidents.

Background

As alleged, Yahoo learned in late 2014 that it had recently suffered a data breach affecting over 500 million user accounts (the “2014 Breach”). Yahoo did not disclose the 2014 Breach until September 2016. During the time period Yahoo was aware of the undisclosed breach, it entered into negotiations to be acquired by Verizon and finalized a stock purchase agreement in July 2016, two months prior to the disclosure of the 2014 Breach. Following the disclosure in September 2016, Yahoo’s stock price dropped 3% and it later renegotiated the stock purchase agreement to reduce the price paid for Yahoo’s operating business by $350 million.

In or about late 2016, following its disclosure of the 2014 Breach, Yahoo learned about a separate breach that had taken place in August 2013 and promptly announced that such breach had affected 1 billion users (the “2013 Breach”). In October 2017, Yahoo updated its disclosure concerning the 2013 Breach, announcing that it now believed that all 3 billion of its accounts had been affected.

The Settlement

Altaba’s SEC settlement centered on the 2014 Breach only. The SEC found that despite learning of the 2014 Breach in late 2014—which resulted in the theft of as many as 500 million of its users’ Yahoo usernames, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers, referred to internally as Yahoo’s “crown jewels”— Yahoo failed to timely disclose the material cybersecurity incident in any of its public securities filings until September 2016. Although Yahoo senior management and relevant legal staff were made aware of the 2014 Breach, according to the SEC, they “did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading.” [1] The SEC also faulted Yahoo’s senior management and legal staff because they “did not share information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.” [2]

Among other things, the SEC found that Yahoo’s risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches, without disclosing that “a massive data breach” had in fact already occurred. [3]

The SEC also alleged that Yahoo management’s discussion and analysis of financial condition and results of operations (“MD&A”) in those reports was also misleading to the extent it omitted known trends or uncertainties with regard to liquidity or net revenue presented by the 2014 Breach. [4]Finally, the SEC further found that Yahoo did not maintain adequate disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team raising actual incidents of the theft of user data, or the significant risk of theft of user data, were properly and timely assessed to determine how and where data breaches should be disclosed in Yahoo’s public filings. [5]

Based on these allegations, the SEC found that Yahoo violated Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Securities Exchange Act. [6] To settle the charges, Altaba, without admitting or denying liability, agreed to cease and desist from any further violations of the federal securities laws and pay a civil penalty of $35 million.

Takeaways

There are several important takeaways from the settlement:

— First, public companies should take seriously the SEC’s repeated warnings that one of its top priorities is ensuring that public companies meet their obligations to adequately disclose material cybersecurity incidents and risks. This requires regular assessment of cyber incidents and risks in light of the company’s disclosures, with the assistance of outside counsel and auditors as appropriate, and ensuring that there are adequate disclosure controls in place for such incidents and risks.

— Second, the SEC’s recently released interpretive guidance on cybersecurity disclosure is an important guidepost for all companies with such disclosure obligations. The guidance specifically cited the fact that the SEC views disclosure that a company is subject to future cybersecurity attacks as inadequate if the company had already suffered such incidents. Notably, the Yahoo settlement specifically faulted the company for this precise inadequacy in its disclosures. Similarly, the recent guidance encouraged companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. The Yahoo settlement also found that the company had inadequate such controls.

— Third, at the same time the SEC announced the settlement, it took care to emphasize that “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure.” [7] The SEC went on to note that Yahoo failed to meet this standard with respect to the 2014 Breach, but by articulating a “good faith” standard the SEC likely meant to send a message to the broader market that it is not seeking to penalize companies that make reasonable efforts to meet their cyber disclosure obligations.

— Fourth, it is also notable that the SEC charges did not include allegations that Yahoo violated securities laws with respect to the 2013 Breach. Yahoo had promptly disclosed the 2013 Breach after learning about it in late 2016, but updated its disclosure almost a year later with significant new information about the scope of the breach. The SEC’s recent guidance indicated that it was mindful that some material facts may not be available at the time of the initial disclosure, as was apparently the case with respect to the 2013 Breach. [8] At the same time, the SEC cautioned that “an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” [9]

— Finally, it is worth noting that the Commission did not insist on settlements with any individuals. Companies, of course, can only commit securities violations through the actions of their employees. While it is not unusual for the Commission to settle entity-only cases on a “collective negligence” theory, the SEC Chair and the Enforcement Division’s leadership have emphasized the need to hold individuals accountable in order to maximize the deterrent impact of SEC actions. [10]

_________________________________________________________________________

Endnotes

1Altaba Inc., f/d/b/a Yahoo! Inc., Securities Act Release No. 10485, Exchange Act Release No. 83096, Accounting and Auditing Enforcement Release No. 3937, Administrative Proceeding File No. 3937 (Apr. 24, 2018) at ¶ 14.(go back)

2Idat ¶ 15.(go back)

3Idat ¶¶ 2, 16.(go back)

4Id.(go back)

5Idat ¶ 15.(go back)

6Idat ¶¶ 22-23.(go back)

7Press Release, SEC, Altaba, Formerly Known As Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million (Apr. 24, 2018), https://www.sec.gov/news/press-release/2018-71.(go back)

8As we have previously discussed, the federal securities laws do not impose a general affirmative duty on public companies to continuously disclose material information and, as acknowledged in Footnote 37 of the interpretive guidance, circuits are split on whether a duty to update exists. However, in circuits where a duty to update has been found to exist, a distinction has often been drawn between statements of a policy nature that are within the company’s control and statements describing then current facts that would be expected to change over time. The former have been held subject to a duty to update while the latter have not. See In re Advanta Corp. Securities Litigation, 180 F.3d 525, 536 (3d Cir. 1997) (“[T]he voluntary disclosure of an ordinary earnings forecast does not trigger any duty to update.”); In re Burlington Coat Factory Securities Litigation, 114 F.3d 1410, 1433 (3d Cir. 1997); In re Duane Reade Inc. Securities Litigation, No. 02 Civ. 6478 (NRB), 2003 WL 22801416, at *7 (S.D.N.Y. Nov. 25, 2003), aff’d sub nom. Nardoff v. Duane Reade, Inc., 107 F. App’x 250 (2d Cir. 2004) (“‘company has no duty to update forward–looking statements merely because changing circumstances have proven them wrong.’”).(go back)

9See SEC, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 83 Fed. Reg 8166, 8169 (Feb. 26, 2018), https://www.federalregister.gov/documents/2018/02/26/2018-03858/commission-statement-and-guidance-on-public- company-cybersecurity-disclosures.(go back)

10See, e.g., Steven R. Peikin, Co-Director, Div. Enf’t., SEC, Reflections on the Past, Present, and Future of the SEC’s Enforcement of the Foreign Corrupt Practices Act, Keynote Address at N.Y.U. Program on Corporate Law and Enforcement Conference: No Turning Back: 40 Years of the FCAP and 20 Years of the OECD Anti-Bribery Convention Impacts, Achievements, and Future Challenges (Nov. 9, 2017), https://www.sec.gov/news/speech/speech-peikin2017-11-09;
SEC Div. Enf’t., Annual Report A Look Back at Fiscal Year 2017, at 2 (Nov. 15, 2017), https://www.sec.gov/files/enforcement-annual-report2017.pdf.(go back)

_______________________________________________________________________

*Matthew C. Solomon and Pamela L. Marcogliese are partners and Rahul Mukhi is counsel at Cleary Gottlieb Steen & Hamilton LLP. This post is based on a Cleary Gottlieb publication by Mr. Solomon, Ms. Marcogliese, Ms. Mukhi, and Kal Blassberger.

Les responsabilités des administrateurs eu égard à la gestion des risques


Les administrateurs de sociétés doivent apporter une attention spéciale à la gestion des risques telle qu’elle est mise en œuvre par les dirigeants des entreprises.

Les préoccupations des fiduciaires pour la gestion des risques, quoique fondamentales, sont relativement récentes, et les administrateurs ne savent souvent pas comment aborder cette question.

L’article présenté, ci-dessous, est le fruit d’une recherche de Martin Lipton, fondateur de la firme Wachtell, Lipton, Rosen & Katz, spécialisée dans les fusions et acquisitions ainsi que dans les affaires de gouvernance.

L’auteur et ses collaborateurs ont produit un guide des pratiques exemplaires en matière de gestion des risques. Cet article de fond s’adresse aux administrateurs et touche aux éléments-clés de la gestion des risques :

(1) la distinction entre la supervision des risques et la gestion des risques ;

(2) les leçons que l’on doit tirer de la supervision des risques à Wells Fargo ;

(3) l’importance accordée par les investisseurs institutionnels aux questions des risques ;

(4) « tone at the top » et culture organisationnelle ;

(5) les devoirs fiduciaires, les contraintes réglementaires et les meilleures pratiques ;

(6) quelques recommandations spécifiques pour améliorer la supervision des risques ;

(7) les programmes de conformité juridiques ;

(8) les considérations touchant les questions de cybersécurité ;

(9) quelques facettes se rapportant aux risques environnementaux, sociaux et de gouvernance ;

(10) l’anticipation des risques futurs.

 

Voici donc l’introduction de l’article. Je vous invite à prendre connaissance de l’article au complet.

Bonne lecture !

 

Risk Management and the Board of Directors

 

Résultats de recherche d'images pour « Gestion des risques et administrateurs de sociétés »

 

Overview

The past year has seen continued evolution in the political, legal and economic arenas as technological change accelerates. Innovation, new business models, dealmaking and rapidly evolving technologies are transforming competitive and industry landscapes and impacting companies’ strategic plans and prospects for sustainable, long-term value creation. Tax reform has created new opportunities and challenges for companies too. Meanwhile, the severe consequences that can flow from misconduct within an organization serve as a reminder that corporate operations are fraught with risk. Social and environmental issues, including heightened focus on income inequality and economic disparities, scrutiny of sexual misconduct issues and evolving views on climate change and natural disasters, have taken on a new salience in the public sphere, requiring companies to exercise utmost care to address legitimate issues and avoid public relations crises and liability.

Corporate risk taking and the monitoring of corporate risk remain prominently top of mind for boards of directors, investors, legislators and the media. Major institutional shareholders and proxy advisory firms increasingly evaluate risk oversight matters when considering withhold votes in uncontested director elections and routinely engage companies on risk-related topics. This focus on risk management has also led to increased scrutiny of compensation arrangements throughout the organization that have the potential for incentivizing excessive risk taking. Risk management is no longer simply a business and operational responsibility of management. It has also become a governance issue that is squarely within the oversight responsibility of the board. This post highlights a number of issues that have remained critical over the years and provides an update to reflect emerging and recent developments. Key topics addressed in this post include:

the distinction between risk oversight and risk management;

a lesson from Wells Fargo on risk oversight;

the strong institutional investor focus on risk matters;

tone at the top and corporate culture;

fiduciary duties, legal and regulatory frameworks and third-party guidance on best practices;

specific recommendations for improving risk oversight;

legal compliance programs;

special considerations regarding cybersecurity matters;

special considerations pertaining to environmental, social and governance (ESG) risks; and

anticipating future risks.

Rôle du conseil d’administration en cas de gestion de crises | Les défis de Facebook


Voici un article qui met en garde les structures de gouvernance telles que Facebook.

L’article publié sur le site de Directors&Boards par Eve Tahmincioglu soulève plusieurs questions fondamentales :

(1) L’actionnariat à vote multiple conduit-il à une structure de gouvernance convenable et acceptable ?

(2) Pourquoi le principe de gouvernance stipulant une action, un vote, est-il bafoué dans le cas de plusieurs entreprises de la Silicone Valley ?

(3) Quel est le véritable pouvoir d’un conseil d’administration où les fondateurs sont majoritaires par le jeu des actions à classe multiple ?

(4) Doit-on réglementer pour rétablir la position de suprématie du conseil d’administration dirigé par des administrateurs indépendants ?

(5) Dans une situation de gestion de crise comme celle qui confronte Facebook, quel est le rôle d’un administrateur indépendant, président de conseil ?

(6) Les médias cherchent à connaître la position du PDG sans se questionner sur les responsabilités des administrateurs. Est-ce normal en gestion de crise ?

Je vous invite à lire l’article ci-dessous et à exprimer vos idées sur les principes de bonne gouvernance appliqués aux entreprises publiques contrôlées par les fondateurs.

Bonne lecture !

 

Facebook Confronts Its Biggest Challenge: But where’s the “high-powered” board?

 

 

Résultats de recherche d'images pour « facebook »i

 

Facebook is arguably facing one of the toughest challenges the company has ever faced. But the slow and tepid response from leadership, including the boards of directors, concerns governance experts.

The scandal involving data-mining firm Cambridge Analytica allegedly led to 50 million Facebook users’ private information being compromised but a public accounting from Facebook’s CEO and chairman Mark Zuckerberg has been slow coming.

Could this be a governance breakdown?

“This high-powered board needs to engage more strongly,” says Steve Odland, CEO of the Committee for Economic Development and a board member for General Mills, Inc. and Analogic Corporation. Facebook’s board includes Netflix’s CEO Reed Hastings; Susan D. Desmond-Hellmann, CEO of The Gates Foundation; the former chairman of American Express Kenneth I. Chenault; and PayPal cofounder Peter A. Thiel, among others.

Odland points out that Facebook has two powerful and well-known executives, Zuckerberg and Facebook COO Sheryl Sandberg, who have been publicly out there on every subject, but largely absent on this one.

While Zuckerberg released a written statement late today on his Facebook page, he didn’t talk directly to the public, or take media questions. He is reportedly planning to appear on CNN tonight.

It was a long time coming for many.

“They need to get out and publicly talk about this quickly,” Odland maintains. “They didn’t have to have all the answers. But this vacuum of communications gets filled by others, and that’s not good for the company.”

Indeed, politicians, the Federal Trade Commission and European politicians are stepping in, he says, “and that could threaten the whole platform.”

Typically, he adds, it comes back to management to engage and use the board, but “I don’t think Zuckerberg is all that experienced in that regard. This is where the board needs to help him.”

But how much power does the board have?

Charles Elson, director of the University of Delaware’s Weinberg Center for Corporate Governance, sees the dual-class ownership structure of Facebook that gives the majority of voting power to Zuckerberg and thus undermines shareholders and the board’s power.

“It’s his board because of the dual-class stock. There is nothing [directors] can do; neither can the shareholders and a lawsuit would yield really nothing,” he explains.

Elson has been warning against such structures for some time, including in a piece for this publication on Snap’s dual-class IPO.

He and his coauthor Craig K. Ferrere wrote:

Increasingly, company founders have been opting to shore up control by creating stock ownership structures that undercut shareholder voting power, where only a decade ago almost all chose the standard and accepted one-share, one-vote model.

Now the Snap Inc. initial public offering (IPO) takes it even further with the first-ever solely non-voting stock model. It’s a stock ownership structure that further undercuts shareholder influence, undermines corporate governance and will likely shift the burden of investment grievances to the courts.

By offering stock in the company with no shareholder vote at all, Snap — the company behind the popular mobile-messaging app Snapchat that’s all about giving a voice to the many — has acknowledged that public voting power at companies with a hierarchy of stock ownership classes is only a fiction. And it begs the question: Why does Snap even need a board?

But some critics have waved Elson’s assertions away because so many tech companies, including Facebook, have been doing well by investors.

Alas, Facebook’s shares have tanked as a result of the Cambridge Analytica revelations, and it’s unclear what’s happening among the leaders at Facebook to deal with the crisis.

Facebook’s board, advises Odland, needs to get involved and help create privacy policies and if those are violated, they need to follow up.

“This is a relatively young company in a relatively young industry that has grown to be a powerhouse and incredibly important,” he explains.  Given that, he says, there are “new forms of risk management this board needs to tackle.”

Enjeux clés concernant les membres des comités d’audit | KPMG


Le récent rapport de KPMG sur les grandes tendances en audit présente sept défis que les membres des CA, notamment les membres des comités d’audit, doivent considérer afin de bien s’acquitter de leurs responsabilités dans la gouvernance des sociétés.

Le rapport a été rédigé par des professionnels en audit de la firme KPMG ainsi que par le Conference Board du Canada.

Les sept défis abordés dans le rapport sont les suivants :

– talent et capital humain ;

– technologie et cybersécurité ;

– perturbation des modèles d’affaires ;

– paysage réglementaire en évolution ;

– incertitude politique et économique ;

– évolution des attentes en matière de présentation de l’information ;

– environnement et changements climatiques.

Je vous invite à consulter le rapport complet ci-dessous pour de plus amples informations sur chaque enjeu.

Bonne lecture !

 

Tendances en audit

 

 

Résultats de recherche d'images pour « tendances en audit »

 

 

Alors que l’innovation technologique et la cybersécurité continuent d’avoir un impact croissant sur le monde des finances et des affaires à l’échelle mondiale, tant les comités d’audit que les chefs des finances reconnaissent le besoin de compter sur des talents de haut calibre pour contribuer à affronter ces défis et à en tirer parti.

Le rôle du comité d’audit est de s’assurer que l’organisation dispose des bonnes personnes possédant l’expérience et les connaissances requises, tant au niveau de la gestion et des opérations qu’au sein même de sa constitution. Il ne s’agit que de l’un des nombreux défis à avoir fait surface dans le cadre de ce troisième numéro du rapport Tendances en audit.

Les comités d’audit d’aujourd’hui ont la responsabilité d’aider les organisations à s’orienter parmi les nombreux enjeux et défis plus complexes que jamais auxquels ils font face, tout en remplissant leur mandat traditionnel de conformité et de présentation de l’information. Alors que les comités d’audit sont pleinement conscients de cette nécessité, notre rapport indique que les comités d’audit et les chefs des finances se demandent dans quelle mesure leur organisation est bien positionnée pour faire face à la gamme complète des tendances actuelles et émergentes.

Pour mettre en lumière cette préoccupation et d’autres enjeux clés, le rapport Tendances en audit se penche sur les sept défis qui suivent :

  1. talent et capital humain;
  2. technologie et cybersécurité;
  3. perturbation des modèles d’affaires;
  4. paysage réglementaire en évolution;
  5. incertitude politique et économique;
  6. évolution des attentes en matière de présentation de l’information;
  7. environnement et changements climatiques.

Au fil de l’évolution des mandats et des responsabilités, ce rapport se révélera être une ressource précieuse pour l’ensemble des parties prenantes en audit.

Comment le CA peut-il gérer les cyber risques ?


Cet article explique comment les entreprises doivent agir afin de minimiser les risques cybernétiques et les cyberattaques.

Paula Loop*, directrice au Governance Insights Center, vient de publier les conclusions d’une étude de PwC :  2018 Global State of Information Security® Survey

Les résultats sont présentés sous forme de questions relatives à la sécurité informatique :

  1. Le CA doit-il être le responsable de la surveillance de cette activité ?
  2. Votre CA nécessite-t-il plus d’expertise dans le domaine de la cybersécurité ?
  3. Avons-nous toutes les compétences requises au sein du CA ?
  4. Possédons-nous les informations nécessaires pour la supervision des risques de cybersécurité ?
  5. Le CA, et notamment son président, a-t-il développé un niveau de relation ouverte avec le responsable des technologies (CISO) ?
  6. Comment savoir si les contrôles mis en place pour prévenir les brèches dans les systèmes sont efficaces ?

 

Les auteurs donnent un exemple de tableau de bord utile pour les CA :

 

Despite how pervasive the threats are, 44% of the 9,500 executives surveyed in PwC’s 2018 Global State of Information Security® Survey say they don’t have an overall information security strategy. That gives you a sense of how much work companies still need to do. Overseeing cyber risk is a huge challenge, but we have ideas for how directors can tackle cybersecurity head-on.

 

L’article présente également une mine d’informations eu égard aux enjeux, aux défis et aux actions qu’un CA doit entreprendre pour assurer une solide sécurité informatique.

Je vous invite à lire les conclusions de l’étude de PwC ci-dessous. Pour plus d’information sur ce sujet, vous pouvez consulter le rapport complet.

Bonne lecture !

 

Overseeing Cyber Risk

 

Résultats de recherche d'images pour « cyber risques entreprise »

 

Directors can add value as their companies struggle to tackle cyber risk. We put the threat environment in context for you and outline the top issues confronting companies and boards. And we identify concrete steps for boards to up their game in this complex area.

You don’t need us to tell you that cyber threats are everywhere. Breaches make headlines on

what seems like a daily basis. They also cost companies—in money and reputation. Indeed, cyber threats are among US CEOs’ top concerns, according to PwC’s 20th Global CEO Survey.

The pace of cyber breaches isn’t slowing. In part, we’re making it too easy for attackers. How? Employees fall for sophisticated phishing schemes, neglect to install security updates or use weak passwords. We are also doing more work on mobile devices, which tend not to be as well protected. And companies don’t always invest enough in cybersecurity or patch their systems promptly when problems are discovered.

The nature of cyber threats is also evolving. The self-propagating WannaCry attack, for instance, could infect a computer even if the user didn’t click on the link. Indeed, 2017 saw a number of major ransomware attacks that froze computer systems—keeping some companies offline for weeks.

Despite how pervasive the threats are, 44% of the 9,500 executives surveyed in PwC’s 2018 Global State of Information Security® Survey say they don’t have an overall information security strategy. That gives you a sense of how much work companies still need to do. Overseeing cyber risk is a huge challenge, but we have ideas for how directors can tackle cybersecurity head-on.

 

 

Challenge:

How can our board understand whether management’s cybersecurity and IT program reduces the risk of a major cyberattack or data breach—or actually makes the company more vulnerable?

 

Many directors are not confident that management has a handle on cyber threats. PwC’s 2017 Annual Corporate Directors Survey found that only 39% of directors are very comfortable that their company has identified its most valuable and sensitive digital assets. And a quarter had little or no faith at all that their company has identified who might attack.

There are obviously many moving parts that management needs to get right. Many companies align their programs and investments with a cybersecurity framework to help ensure they’re addressing everything they should.

For a board to oversee cyber risks effectively, it needs the right information on how the company addresses those risks. But 63% of directors say they’re not very comfortable that their company is providing the board with adequate cybersecurity metrics. [1]

Boards also shortchange the time they give to discussing cyber risks. We often see board agendas allocate relatively little time to the topic.

Another part of the challenge is that few boards have directors with current technology or cybersecurity expertise. And that puts directors at a disadvantage in being able to figure out if management is doing enough to address this area of significant risk.

 

Why does cybersecurity often break down in companies?

 

Common issues Why they matter
There’s no inventory of the company’s digital assets Companies can’t protect assets they don’t know about. Management should be able to explain what information and data they hold, why it’s needed, where it is (within the company’s systems or with third parties) and whether it’s properly protected. They should also know which data is most valuable (the crown jewels).
The company doesn’t know which third parties it digitally connects with A company may interact—and even share sensitive information—with thousands of suppliers and contractors. Hackers often target these third parties as a way to get into a company’s network. Yet more than half of companies don’t keep a comprehensive inventory of the third parties they share sensitive information with. [2]
The company hasn’t identified who is most likely to come after its data Knowing who might attack helps the company better anticipate how they might attack. That in turn may help the company put up better defenses.
The company has poor cyber hygiene Systems that aren’t properly configured are more vulnerable to attacks. So companies should employ leading practices, like multi-factor authentication, to protect highly sensitive information. They also need to do the basics right—like removing access on a timely basis for people who leave the company or change jobs.
The company hasn’t patched known system vulnerabilities System vulnerabilities are being uncovered constantly. But not all software companies push out patches to users. So the company needs to ensure someone regularly monitors to see if patch updates are available. And then make sure those fixes get made.
The company has a wide attack surface Providing more ways to access company systems makes things easier for employees, customers and third parties. And for hackers. So companies need stronger controls (such as multi-factor authentication). And they need to increase their monitoring for suspicious activity.
Employees aren’t trained on their role in security Current employees are the top source of security incidents—whether intentional or not. [3] Yet only half (52%) of executives say their company has an employee security awareness training program. [4]
Cybersecurity is viewed as the CISO’s responsibility A chief information security officer (CISO) can’t do the job alone. Other groups like Infrastructure or Operations need to cooperate and provide resources to address cyber issues.

Board action:

Focus on getting the right information and building relationships with the company’s tech and security leaders so you get a better sense of whether management is doing enough

 

 

This is a really tough area to oversee. Here are a number of questions to help as you address it.

1. Since cybersecurity is really a business issue, should the full board oversee it?

Half of directors say their audit committee is responsible for cyber risk, and 16% give it to either a separate risk committee or a separate IT committee. Only 30% say it’s a full board responsibility. [5] If the full board doesn’t want to oversee cyber risk, ensure that, at a minimum, whichever committee is assigned the responsibility provides regular and comprehensive reporting up to the whole board. And consider moving it from the already overloaded audit committee to another board committee.

2. Does our board need greater cybersecurity or technology expertise?

For some companies, the answer will be to recruit a director with serious expertise in cybersecurity. But others won’t choose to close their skill gap by adding a new director. People with these skills are hard to find, especially since the technology landscape is changing so quickly. Some boards may not have room to add another member. Others may not want to add someone with such specific expertise unless they’re confident that person could handle other board matters as well. So instead they look for other ways to address any gap, including continuing education and using outside advisors.

3. Is everyone in the room who needs to be?

The cybersecurity discussion should include business, technology and risk management leaders—as well as the CEO and CFO. Why? For one, it reinforces that cyber is an enterprise-wide issue—and that directors expect everyone to be accountable for managing the risk. The discussion also may expose other areas where there are security gaps. For example, while a CISO will often cover IT, many industrial organizations also need to protect OT—the operational technology that directs what happens in physical plants or processes. So if the CISO isn’t covering OT, the board needs to hear from whoever is.

4. Do we have the information we need to oversee cyber risk?

First, consider whether you have the basic information you need on the company’s IT environment. Without this background, it’s tough to make sense of the level of risk the company faces. There are a few key areas:

The nature of the company’s systems.

Are they developed in-house, purchased and customized or in the cloud?

Are any no longer supported by vendors?

Is the company running multiple versions of key systems in different divisions?

To what extent has the company integrated the systems of companies it acquired?

The security resources.

Where does IT security report?

What are IT security’s resources and budget? How do they compare to industry benchmarks?

Has the company adopted a cybersecurity framework (e.g., NIST, ISO 27001)?

This type of basic information doesn’t change much, so directors likely only need periodic refreshers.

On the other hand, directors will want more frequent reporting on what does change. Each company needs to figure out which items—quantitative and qualitative—are most relevant. It’s also helpful for directors to see whether management believes cyber risk is increasing, stable or decreasing.

A good dashboard gives directors an at-a-glance understanding of the state of the company’s cyber risk. There are a number of different approaches to assembling a dashboard. One is to simply classify issues between external and internal factors, like the example we show below.

If boards sense the dashboard isn’t giving a complete or accurate picture, they shouldn’t be afraid to challenge what’s presented in it. Read more to find out how.

 

Example of what a dashboard might look like

 

5. Have we built a relationship that allows the CISO to be candid with us?

The CISO has a lot of responsibility but doesn’t always have the authority to insist that other technology and business leaders fall in line. A strong relationship with the board helps the CISO feel comfortable giving directors the true picture (warts and all) of cyber risks, including his or her views on whether resources are adequate. Periodic private sessions with the CISO are a key part of understanding whether the company is doing enough to manage these risks.

6. How can we know whether the controls and processes designed to prevent data breaches are working?

Speaking to objective groups, such as internal audit, can offer the board different perspectives. The board may also want to hire its own outside consultants to periodically review the state of cybersecurity at the company and report back to the board.

 How can directors improve their knowledge of cybersecurity?

Hold deep-dive discussions about the company’s situation. That could include the company’s cybersecurity strategy, the types of cyber threats facing the company and the nature of the company’s “crown jewels.”

Attend external programs. There are a number of conferences that focus on the oversight of cyber risk.

Ask management what it has learned from connecting with peers and industry groups.

Ask law enforcement (e.g., the FBI) and other experts to present on the threat environment, attack trends and common vulnerabilities. Then discuss with management how the company is addressing these developments.

Challenge:

Given that companies are under constant attack, how can directors understand whether their company is adequately prepared to handle a breach?

 

No company is immune to the threat of a breach. One particularly scary aspect of cybersecurity is that companies may only know they’ve been breached when an outside party, such as the FBI, notifies them. Then there’s the question of what the company needs to do once it discovers a breach. Obviously it needs to investigate and patch its systems. But there’s much more.

Nearly all US states and many countries have laws requiring entities to notify individuals when there’s been a security breach involving personally identifiable information. These laws often set a deadline for notification—sometimes as short as 72 hours. The data breach notification laws change from time to time, making it a challenge to keep up to date. Separately, companies should also consider any potential SEC disclosure requirements regarding cyber risks and incidents.

Breaches can mean significant fines from regulatory agencies, as well as class-action lawsuits. They can also damage a company’s reputation and brand—resulting in loss of customers, as well as investors possibly losing confidence in the company. And as we have seen with some breaches, senior executives can lose their jobs.

Breaches also mean more costs to companies—to investigate, remediate and compensate those who were harmed. Only half of US companies have cyber insurance, [6] despite the growing number and size of incidents. In part, there’s still some skepticism on how claims will be covered.

Given how likely a breach is and how much companies need to do to respond, it’s surprising that 54% of executives say their companies don’t have an incident response plan. [7] Yet companies that responded well to a breach—thanks to better preparation—usually come out of the crisis better than those that had to scramble.

 

Board action:

Regularly review the breach and crisis management plan and lessons learned from management’s testing

 

It’s important to ask management about the company’s cyber incident response and crisis management plan on a regular basis. If there isn’t one, press management for a timeline to develop and test one.

If there is a plan, discuss what it entails and how the company intends to continue operating in the event of a disruptive attack. It should also identify everyone who needs to be involved, which could include the communications team, finance leaders, business leaders, legal counsel and the broader crisis response team, as well as IT specialists. The plan should specify which external resources are on retainer to support the internal teams. And who the company will work with on the law enforcement side.

A key part of the plan should cover breach notification and escalation procedures. When will the board be notified? What is the company’s plan to inform regulators? How and when will other stakeholders—including individuals whose personal information may have been lost—be informed?

Also ask management about plan testing and what changes were made as a result of the last test. Some directors even observe or participate in tabletop testing exercises to get a better appreciation for how management plans to address a cyber crisis.

Finally, have management explain if it has updated controls or recovery plans based on recent incidents at other organizations.

 

In conclusion…

 

As cyber threats persist, boards recognize they need to step up their cyber risk oversight. That starts when directors recognize that the responsibility for handling cyber risk goes well beyond the CISO. How? By insisting that cybersecurity be a business discussion, with the right senior executives in the room and a sophisticated understanding of the threats.

 

____________________________________________________________

Endnotes

1PwC, 2017 Annual Corporate Directors Survey, October 2017.(go back)

2Ponemon Institute, Data Risk in the Third-Party Ecosystem, September 28, 2017.(go back)

3PwC, Global State of Information Security® Survey 2018, October 2017.(go back)

4Ibid.(go back)

5PwC, 2017 Annual Corporate Directors Survey, October 2017.(go back)

6Insurance Journal, “Why 27% of U.S. Firms Have No Plans to Buy Cyber Insurance”, May 31, 2017; http://www.insurancejournal.com/news/national/2017/05/31/452647.htm(go back)

7PwC, Global State of Information Security® Survey 2018, October 2017.(go back)

_______________________________________________

*Paula Loop is Leader at the Governance Insights Center, Catherine Bromilow is Partner at the Governance Insights Center, and Sean Joyce is US Cybersecurity and Privacy Leader at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Ms. Loop, Ms. Bromilow, and Mr. Joyce.

Billets récents publiés sur mon blogue en gouvernance en janvier 2018


Voici les quinze billets publiés sur mon blogue en gouvernance des sociétés en janvier 2018.

Bonne lecture ! Vos commentaires sont toujours les bienvenus.

 

 

Résultats de recherche d'images pour « blogue en gouvernance »

 

  1. Que pensez-vous des classes d’actions à droit de vote multiples ?
  2. Compte rendu hebdomadaire de la Harvard Law School Forum on Corporate Governance | 25 janvier 2018
  3. Aspects fondamentaux à considérer par les administrateurs dans la gouvernance des organisations
  4. Comment se préparer à la divulgation du ratio qui révèle la rémunération du CEO comparée à la moyenne des salaires des employés
  5. Compte rendu hebdomadaire de la Harvard Law School Forum on Corporate Governance | 18 janvier 2018
  6. BlackRock soutient le modèle de gouvernance basé sur la primauté accordée aux parties prenantes
  7. Adapter le modèle de gouvernance à la réalité des OBNL de petite taille
  8. Les administrateurs de sociétés qui cumulent plusieurs postes deviennent-ils trop accaparés ?
  9. Compte rendu hebdomadaire de la Harvard Law School Forum on Corporate Governance | 12 janvier 2018
  10. Quelle est l’influence des femmes CEO sur la structure de gouvernance des entreprises ?
  11. La souveraineté des conseils d’administration
  12. Compte rendu hebdomadaire de la Harvard Law School Forum on Corporate Governance | 4 janvier 2018
  13. Enquête de Deloitte sur la diversité des conseils d’administration
  14. Dix thèmes prioritaires à mettre à l’ordre du jour des Boards en 2018
  15. La gouvernance relative aux sociétés en 2017 | Un « Survey » des entreprises du SV 150 et de la S&P 100

Dix thèmes prioritaires à mettre à l’ordre du jour des Boards en 2018


Aujourd’hui, je partage avec vous un article de Kerry E. Berchem et Christine B. LaFollette, associés de la firme Akin Gump Strauss Hauer & Feld, qui donne un aperçu des principales préoccupations des CA en 2018.

Ce qui est intéressant, outre les thèmes choisis, c’est l’impact de l’agenda de l’administration Trump sur la gouvernance des sociétés, notamment les points suivants :

– Assouplissements de la réglementation de la SEC ;

– Applications des directives de la SEC, en autres les efforts de remplacement de la réforme Dodd-Frank ;

– Nouveaux échanges commerciaux et applications de sanctions plus sévères ;

– La réforme de la fiscalité.

Bonne lecture ! Vos commentaires sont les bienvenus.

 

Top 10 Topics for Directors in 2018

 

1. Cybersecurity threats.

Cybersecurity preparedness is essential in 2018 as the risk of, and associated adverse impact of, breaches continue to rise. The past year redefined the upward bounds of the megabreach, including the Yahoo!, Equifax and Uber hacks, and the SEC cyber-attack. As Securities and Exchange Commission (SEC) Co-Directors of Enforcement Stephanie Avakian and Steven Peikin warned, “The greatest threat to our markets right now is the cyber threat.” No crisis should go to waste. Boards should learn from others’ misfortunes and focus on governance, crisis management and recommended best practices relating to cyber issues.

2. Corporate social responsibility.

By embracing corporate social responsibility (CSR) initiatives, boards are able to proactively identify and address legal, financial, operational and reputational risks in a way that can increase the company value to all stakeholders-investors, shareholders, employees and consumers. Boards should invest in CSR programming as an integral element of company risk assessment and compliance programs, and should advocate public reporting of CSR initiatives. Such initiatives can serve as both differentiating and value-enhancing factors. According to recent studies, companies with strong CSR practices are less likely to suffer large price declines, and they tend to have better three- to five-year returns on equity, as well as a greater chance of long-term success.

3. Managing five generations of employees.

In the coming years, employers will face the unprecedented challenge of having five generations of employees in the workplace. Companies and their boards can help address these tensions by better understanding employee expectations, encouraging cross-generation mentorship, and setting an example of generational diversity with respect to company leadership and members of the board. If managed correctly, boards and companies alike can benefit from the wisdom, collaboration and innovation that comes with generational diversity.

4. Corporate strategy.

Strategic planning with a particular focus on potential acquisitions should continue to be a high priority for boards in 2018. Boards should expect to face conflicting pressures, since shareholders will expect companies to invest in both long-term growth opportunities and short-term stock enhancement measures, including the deployment of excess cash for stock buybacks. Cross-border transactions will likely continue to be attractive options, subject to increased regulatory scrutiny in certain industries and of certain buyers.

5. Board composition.

Board diversity is being actively considered and encouraged by regulators, corporate governance groups and investors, both in the United States and internationally, and the current focus on board diversity is likely to continue. Companies should review the applicable diversity-related obligations in their jurisdictions and assess their current board composition, director search and nomination process, board refreshment practices and diversity policies.

6. Shareholder activism.

Shareholder activism has entrenched itself in the modern climate of corporate governance. In particular, shareholder activists have entered industries that, until recently, have generally steered clear of such investors, including the energy sector. There is an increased emphasis by prominent investors on challenging transactions, corporate strategy and traditional corporate governance concerns, such as board composition and staggered boards.

7. Internal investigations.

Boards are increasingly confronted with the possibility of wrongdoing implicating the company or its employees. The decision whether or not to undertake an independent internal investigation, and how, requires careful consideration and consultation with counsel, since the response of the board will have important implications for the ultimate effects on the company.

8. SEC regulatory relief.

We expect that the Trump administration and the Republican-led U.S. Congress will advance reforms in 2018 designed to encourage companies toward public ownership and to facilitate capital formation in both public and private markets. Although smaller companies will likely be the greatest beneficiaries of the proposals currently being considered, many proposals are expected to also benefit large public companies-by eliminating certain duplicative and nonmaterial disclosure requirements and by addressing concerns regarding shareholder proposals.

9. SEC enforcement.

In addition to new leadership at the SEC, ambitious legislative proposals in Congress and further developments in insider trading law have the potential to impact SEC enforcement, although certain enforcement streams, such as accounting and other disclosure-related investigations, are likely to remain largely unchanged. The SEC’s own cyber breach has brought renewed focus at the agency on information security and the integrity of trading systems. Efforts to repeal Dodd-Frank have also advanced through both chambers of Congress.

10. Trade and sanctions.

During the first year of the Trump administration, U.S. sanctions were expanded significantly to include complex new restrictions that target transactions with Iran, Russia, North Korea and Venezuela, among others. Additionally, there has been an uptick in sanctions enforcement actions, including a continued focus by U.S. enforcement agencies on officers and directors that approve, or engage in, proscribed activities. Accordingly, in an effort to avoid running afoul of U.S. sanctions, boards should be vigilant in understanding how these evolving rules apply to the business activities of their companies and management teams.

Special Bonus: Tax reform.

Tax reform has been a top priority for the Trump Administration and Republicans in Congress. After a slow start to 2017 in terms of legislative wins, the House and Senate are poised to send the first comprehensive tax reform bill to the President’s desk in more than thirty years. While the differences between the House and Senate bills still need to be resolved, the new Tax Cuts and Jobs Act is expected to pass by the end of the year and will present both benefits and challenges for companies in implementation and adaptation as unintended consequences are inevitably uncovered in the months and years to come.

The complete publication is available here.